Sorry, you haven't convinced me, I appreciate what you're saying but having to
cache the static pages after you've cleansed them doesn't seem right either....
Of course if you're relying on javascript to display as in ajax then you have a
point.
Andrew.
>How do you know it's junk? Let's say you have a last name of "O'reilly"
>entered into a form field. That string will break the following of
>code:
>
><script language="javascript">
> alert('#last_name#');
></script>
>
>You would not want to remove the tick from the name in the database, as
>now you have lost part of your data. Instead you sanitize it at the
>time you output it with jsstringformat.
>
>Now, some of you are probably thinking, "Why don't you just escape it
>when you put it into the database?" My answer to that is, "How do you
>know in what context that data might need to be displayed?" If you
>escape the data for a JavaScript string at the time you store it, then
>it won't look right when you want to output it in HTML. OK, so you
>might think you should escape it for HTML at the time you store it-- now
>you write a flex front-end for your app and wish to display it in Flash.
>
>
>There are reasons other than malicious attacks to clean your data, and
>it is my option that the interface responsible for displaying the data
>should also be responsible for cleaning it appropriately. If that is
>done, "O'Reilly" won't be an issue and neither will XSS.
>
>If you are concerned about the performance implications of formatting
>the data over and over again you could cache static pages and serve them
>up. If your data is ever-changing, I consider this overhead a small
>price to pay that comes with the business of storing and regurgitating
>data.
>
>~Brad
>
>Why store junk? if you're going to store data shouldn't it be
>escaped/purified before you store it? then you're escaping it once as
>opposed to escaping it 1000's of times every time you display/output it?
>
>>> So what do you recommend instead? The built in xxs protection
>>> doesn't catch everything.
>>
>>I recommend that you consider accepting and storing "unsafe" strings,
>and
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;192386516;25150098;k
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303796
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
