The "side-effect" is that the sanitiser (can it be called that?) strips everything after the < symbol in the belief that it is the start of an HTML tag.
I've been trying allsorts of ways to inject something executable in there. Most of the time my tags vanish. I've tried css style injection - it strips any url() style imports - All <div>s turn to <span>s (and I still can't embed things in them) any mention of the word script or any derivative vanishes into the aether and it strips a lot of things which are harmless, and all that is malicious. The only downside is that it errs on the side of caution. Hence the above @formula code cannot be used.
Ignorance is no defence in the eyes of the law. Of course the best option is not to fall foul of the law in the first place.
The "side-effect" is that the sanitiser (can it be called that?) strips everything after the < symbol in the belief that it is the start of an HTML tag.
I've been trying allsorts of ways to inject something executable in there. Most of the time my tags vanish. I've tried css style injection - it strips any url() style imports - All <div>s turn to <span>s (and I still can't embed things in them) any mention of the word script or any derivative vanishes into the aether and it strips a lot of things which are harmless, and all that is malicious. The only downside is that it errs on the side of caution. Hence the above @formula code cannot be used.
Ignorance is no defence in the eyes of the law. Of course the best option is not to fall foul of the law in the first place.