On 18 Mar 2010, at 23:54, silky <[email protected]> wrote:
On Fri, Mar 19, 2010 at 10:46 AM, David Connors <[email protected]>
wrote:
Yup. It is really a very big worry when people writing the
framework can be
so fundamentally stupid as to think that avoiding XSS issues is a
function
of input, not output.
I think this fact is not particularly obvious to everyone, and the
typical MS strategy is to do something that may cause 'more good' than
'more harm' even if people don't like it. Clearly, this is IE's model
with it's respect of invalid HTML, and it's the model of
I believe this attitude is changing which is good. It's never good to
upgrade something and it breaks, but in the long run it's better than
persisting the 'lie'.
In the case of IE I guess competing browsers working to published
standards forced the hand. If it weren't for competition in that
space, we'd still be stuck with IE6.
Also giving the user the option to unbreak things, viz. compatability
modes that work.
RequestValidation. Reasonable programmers should turn it off and -
indeed - do everything on *output*, but the few who are able to create
websites without understanding anything; maybe this helps them.
Indeed, for applications to function well, it should be off. I'll do
my own escaping thanks. And what's with a yellow screen of death for
that anyway.
--
David Connors ([email protected])
Software Engineer
Codify Pty Ltd - www.codify.com
Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile:
+61 417
189 363
V-Card: https://www.codify.com/cards/davidconnors
Address Info: https://www.codify.com/contact
--
silky
http://www.programmingbranch.com/
--
Richard Carde
