Arc Forumnew | comments | leaders | submitlogin
1 point by mr-anonymous 6168 days ago | link | parent

Yes, I read those. But the point of the challenge is that the last page displays "whatever he put in the input field". I tried out the supposed arc answer to the challenge and it doesn't actually display what I put into the input field.

Try writing "The first conquistador in what is now the US was Juan Ponce de Leon and the last was Don Juan de Onate Salazar." There's an o-with-acute-accent in Leon, and there's an n-with-tilde in Onate).

Try writing "Noroveirusyking a HliX", which is a headline from today's MorgunblaXiX (a newspaper in Iceland).

Try writing "Don't use the <blink> element!"

Or try writing some of the other problems I pointed out earlier. (A parent to this comment.)

  * They do not work. *
If the challenge was "... as long as the input is in ASCII and doesn't include the '<' and '>' and '&' characters" then that's different. But that's not the challenge.

At the very least, raise an exception for out-of-range characters. The current code hacks some Latin-1 characters to ASCII, others to "X", and encodes characters >= 256 to &# escape codes. This is wrong.

To which kens added that because the server doesn't set the content-type encoding, if the browser autodetects the ASCII as being utf-7 then there's another possible attack.



1 point by mr-anonymous 6167 days ago | link

Now I should be able to speak properly. http://news.ycombinator.com/item?id=111100

XSi! Antligen! Tschuss!

-----