Robert Sayre <[EMAIL PROTECTED]> wrote:
> I guess it depends on what you meant by "doomed to failure." I'm only
> trying to solve one authoring problem. Consider your typical CGI or PHP
> script. They're writing HTML (and XML) with string concatenation, like this:
>
> echo("<div>" + user_submitted_text + "</div>");
>
> A professional might have
>
> echo("<div>" + strip_dangerous(user_submitted_text) + "</div>");
If we just replace <div> with <strip_dangerous>, then it seems to me
that we've only moved the problem. Now, strip_dangerous has to be sure
to remove all possible insertions of "</strip_dangerous>" in
user_submitted_text, which, as you point out is hard if you haven't
fully reversed engineered parser/htmlparser.
I seem to recall dveditz asking about using HTML processing instructions
for this purpose (since they don't have any sort of end tag), but that
has interoperability problems since most browsers don't support them.
There is also the problem that the untrusted content *must* be after all
untrusted content, since there's no way to turn the filtering off.
--
Blake Kaplan
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
