I never saw any RFC restriction to put "<" ">" out of any URL. Anyway it is used on internet (as I mentioned some time ago) therefore restricting it will result in problems. More security-less features, ratio decision is up to you. Additionally Cross site scripting checking has to be done on web server application side not on client side level or client's proxy otherwise it doesn't solve problem. Regards DavidF callto://spaceq ________________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, February 23, 2005 3:39 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Script Injections http://www.ISAserver.org Hi Rob, This should be a good start http://www.faqs.org/rfcs/rfc1630.html Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls ________________________________________ From: Rob Moore [mailto:RMoore@xxxxxxxx] Sent: Wednesday, February 23, 2005 8:24 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Script Injections http://www.ISAserver.org Hey Jim-- Any chance you've had a mo to find these RFCs? I've been looking for them myself with no luck. If you could even just point me to the right place, that would be great. Thanks, Rob This mail was checked for viruses by GFI MailSecurity. GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker), and network security and management software (GFI LANguard) - www.gfi.com