On Aug 16, 2009, at 02:58, Arthus Erea wrote:
> Right now, we automatically mistrust all form data. We over-think > everything, escaping every possible ampersand, even when it's clearly > not malicious. > > Why do we mistrust our users so much? It is an appropriate security stance to mistrust all form data. It would be foolish to do otherwise, and invite security exploits. I find it curious that anyone with experience with building web applications would consider any user input "clearly not malicious." When the audience is anonymous, nothing is "clearly not malicious." When the user is authenticated, and no longer anonymous, it's wise to consider stupidity, as well as malicious behavior. -- We are here and it is now. Further than that all human knowledge is moonshine. H.L.Mencken --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/habari-dev -~----------~----~----~----~------~----~------~--~---
