Robert Sayre wrote:
I guess it depends on what you meant by "doomed to failure."
"Not provably secure" might be a better way to put it. Basically, I'm afraid of
solutions that give people a sense of security without actual security -- that's
a dangerous combination.
I'm only trying to solve one authoring problem. Consider your typical CGI or PHP
script. They're writing HTML (and XML) with string concatenation, like
this:
echo("<div>" + user_submitted_text + "</div>");
I would assume that you would first replace all '<' in said text with >.
Certainly anyone sane would do that... I suppose the problem is that you want
to preserve certain user formatting (say <b> and style attributes) but at the
same time disallow things like <script> tags and onclick attributes?
I want to give authors a replacement string
for the "<div>" portions of the examples, and remove the burden of
implementing an HTML parser from websites that want to include
user-submitted content.
My problem is how to make sure that such a solution remains safe when some other
part of the same organization writes some script that rearranges things on the
page a bit.
-Boris
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
