Making a very complex Ajax rich-client web applications perfectly xHTML valid is not easy. Most of the enterprise world goes way beyond simple flat file xHTML. Add in (the real reality of) highly database-drive dynamically generated javascript/ajax heavy pages, and I continue to conjecture that perfect xHTML is not only not that important but very difficult to accomplish. Or at least it's not "simple" as you state below.
Heck, who is to say that you can't accomplish XSS or other client-side attacks and still be xHTML compliant? I think you would go a lot further in securing your apps if you got programmers to html entity encode output data, actually do access control right, encode data on the server side to prevent injection attacks, etc. Sure the WAF world would like xHTML - but we do not live in a perfect world. Most sites are not xHTML compliant in the enterprise. - Jim > At 9:12 AM -1000 8/26/08, Jim Manico wrote: > > >> How does xHTML help stop access control vulnerabilities? >> Authorization issues? CSRF problems? >> > > It is indicative of the caliber of the people who built > the site. > > My immediate interest is that validation combats browser crashes. > > I am not interested in dealing with people who cannot get > the simple things right. > -- Jim Manico, Senior Application Security Engineer [EMAIL PROTECTED] | [EMAIL PROTECTED] (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security™ Securing your applications at the source http://www.aspectsecurity.com --------------------------------------------------------------- Management, Developers, Security Professionals ... ... can only result in one thing. BETTER SECURITY. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________