I discovered a scary thing today. I have been using the DW insert/update form behaviours on my site.
just by chance i entered a bit of html in one of my fields :
<b>asdf</b>to my surprise after inserting the rcord into the DB, the "asdf" part was rendered in bold when the record was later displayed
this leaves the app wide open to XSS.
although DW passes user input through a function, it only checks for apostrophes:
mysql_real_escape_string($theValue)
scary or what. i wonder how many people out there are unaware of this.
