* Steven M. Christey: > Yet smart people insist that it's still input validation, even > when presented with the example I gave. So So what's the > perspective difference that's causing the disconnect?
Some technologies are designed as if to discourage proper output encoding. Most templating engines (native PHP, Perl variable interpolation, JSP, Template::Toolkit, StringTemplate) discard the distinction between literal strings in the template, and substitution variables. In many cases, there's little support for composing reusable, parameterized templates from other templates, and you have to fall back to the host language and plain string concatenation instead to create such abstractions. This means that it appears rather costly to do proper output encoding, especially in legacy systems. And input encoding looks very easy to do (at least until you discover more and more potential input paths). But I suspect that the culture of input validation is partly responsible for the difficulty of addressing cross-site scripting issues. 8-( (There's also a rather nasty potential explanation: input validation sells web firewalls and related services, output encoding does not.) _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
