Since CSS vulnerabilities are due to the nature of html presentation, it seems to me that the presentation layer is clearly the place to fix it.
Storing encoded data is a bad idea, IMHO, because: You've got to somehow ensure that all input data is channeled through your encoder. Sure, this may be easy for web forms, but what about direct updates or imports to the database? What happens when you try to use your data in a different presentation technology such as a Swing or console app? Trying to de-escape the data everwhere you use it would suck. You can escape data for HTML 4.0 and store it... but what about years from now when HTML 8.0 rolls around and there are new things to escape, or old things that should be escaped differently? Reprocess your whole database? I think you should always store the data model in as "pure" a form as possible, and let any particular presentation layer make sure that data behaves well. HTML output escaping is pretty computationally trivial, so performance doesn't seem like much of an issue. Mixing presentation-specific encoding into the data model, on the other hand, is setting up for future peril :-) Jeff Schnitzer [EMAIL PROTECTED] > -----Original Message----- > From: Danny Angus [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, November 21, 2001 1:20 PM > To: Jakarta General List > Subject: RE: Cross site scripting > > > Actually I was busy, what I really wanted to say was that I > agree with every > one of the points you make, but still stick to my prefrence > for escaping on > the way in, but ok lets say only where practical. > I've been involved myself in a project where we had to accept input of > script and prepare output of it for display or execution. > And there are a number of other legitimate uses for some of > the techniques > which come under the umbrella of CSS. > > The only truly compatible answer is to delegate to the > application designer > full responsibility for this task. > > Hence, of course, the requirement for a small API to help > her/him do the > dull hard work. (which I'm right behind) > > d. > > > > -----Original Message----- > > From: Danny Angus [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, November 21, 2001 6:57 PM > > To: Jakarta General List > > Subject: RE: Cross site scripting > > > > > > Ok, you're right! > > d. > > > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
