There’s a feedback form on a web site that I have to use quite often. As a security measure it rejects submissions that contain at least some types of HTML markup and JavaScript. However, one of the purposes of the form in question is to submit bug reports for a web application, including error messages. The error messages in this web app often include portions HTML and scripting. Sigh.
As the form is only accessible to signed in, paid up, users of the web app it shouldn’t be a target for random hackers. In most environments it’s possible for a programmer who knows what she’s doing to handle submitted text in such a way that no matter what it contains it will never be a threat. Allowing users to submit bug reports for the application they’ve paid to use should be made as painless as possible - they’ve already been let down once by the original bug, don’t let them down again when they report the bug.
pensive
