On Fri, Mar 19, 2010 at 11:07 AM, David Connors <[email protected]> wrote: > On 19 March 2010 09:54, silky <[email protected]> wrote: > > > > RequestValidation. Reasonable programmers should turn it off and - > > indeed - do everything on *output*, but the few who are able to create > > websites without understanding anything; maybe this helps them. > > It'd be more helpful if they provided some wrappers for output similar to > struts and made the developers use that so they understand what they're > doing. Possibly a better model might have been to escape everything that > goes out of the response object by default + provide a tag library that > covers 99% of normal use cases. > > Then if people need to write out something unsafe (e.g you're writing a CMS > or similar) then you can pass in an argument to the response object along > the lines of "OUTPUT_UNSAFE_HTML" .... might make people stop and think.
Yeah, but there are obviously implementation issues and training issues there. Complexity leads to errors. It's no so simple. OWASP puts out a thing like that OWASP ESAPI; but does anyone use it? Or know of it? Or trust it? > Unfortunately, that would not make for a good drag-and-drop demo > presentation. > -- > David Connors ([email protected]) > Software Engineer > Codify Pty Ltd - www.codify.com > Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 > 189 363 > V-Card: https://www.codify.com/cards/davidconnors > Address Info: https://www.codify.com/contact -- silky http://www.programmingbranch.com/
