help: Problem with cgi form

[Jon Ribbens]

In article <3C7AAF31.8040201 at mxm.dk>, Max M wrote:
> And then print it to the form like:
> 
> print '<INPUT TYPE=HIDDEN NAME= "last_pos" VALUE='%s'>' % last_byte_pos

Beware that, in general, that is a bug. You are open to Cross Site
Scripting attacks. Even in the absence of these, if the value happens
to contain characters significant to HTML (such as '"', '&', '>', etc)
then your program will go wrong.