ngx_xss: Native support for cross-site scripting in an nginx

agentzh agentzh at
Fri Jan 29 10:46:49 MSK 2010

On Thu, Jan 28, 2010 at 4:45 PM, quan nexthop <quan.nexthop at> wrote:
> 1) Which field is checked in your function? Do we need to check
> cookie/url/content-length etc.?

I don't think that I understand your question. I'm guessing that you
mean access control mechanism? If yes, then that's for another module
to work together with it, like ngx_encrypted_cookie.

> 2) A decode function is used to decode the args, do we need deocde escape
> type? what about unicode and utf-8?

It's based on octet decoding, no charset is involved here. Either
Unicode or UTF-8 should be fine, as well as other charsets. It depends
on the client side to interpret the charset, not ngx_xss :)


More information about the nginx mailing list