Soren,
You make 2 very short but interesting points which I agree with:
1) If you are dealing with many outputs then "sure" delaying
"sanitizing" until presentation is the way to go. If you expect your
data to 100% of the time appear in HTML then I don't think its so black
& white as this approach would come with a hefty cost in performance in
a "high" read "low" write web app. Besides performance hit the other
not so pleasant aspect of delaying is that there really isn't a single
interface to "sanitize" and there's a lot of unnecessary boiler plate.
That is to say in the case of HTML, you need to:
a) Wrap whatever is presented in view JSPs in say fn:escapeXml calls -
which is trivial but so darn repetitive. Not a major issue though but
rather ugly and repetitive.
b) Hand encode parameter values (think {1}) appearing in error messages
displayed back to the user.
How did you resolve a) and b) in an elegant way? Did you use formatters
or do something else???
2) As you point out using Parameterized Queries or Prepared Statements
with variable bindings does indeed thwarte SQL Injection attacks. I
wasn't aware of that. The key is that the JDBC driver "encodes" the
variables. One needs to be careful though not to plug-in string insert
parameters into queries as that exposes the problem again.
Alas, with respect to SQL Injection there does indeed appear to be a
free lunch.
Thanks,
--Nikolaos
Søren Pedersen wrote:
In my application we are dealing with many outputs, so I agree with
the point Mark made.
As for SQL injections, use variable binding, meaning PreparedStatement.
We had several successful security evaluations on this setup.
Regards
Søren
Den 28/10/2010 03.52 skrev "Mike McNally" <emmecin...@gmail.com
<mailto:emmecin...@gmail.com>>:
For what it's worth, I entirely disagree with the idea that all input
must be sanitized on the way in. That reflects a fundamental
misunderstanding of the generalized problem of which XSS is just one
manifestation.
User input is user input. What's important (vital, I'd say) is for
the software to be sensitive to the fact that user input may end up
being presented to "ignorant" parsers for interpretation. A good
example is SQL. There's nothing wrong with the name "O'Hara". It's
somebody's name, and we cannot and should not disallow somebody from
using that string as their name. But because that name contains the
single-quote character, it's important that the server software takes
care with it whenever it's being used in a SQL query. Similarly, the
presentation layer might need to be careful should that name need to
be used in a Javascript string, or in an HTML attribute value.
Quoting of user-supplied data needs to be done at the point that the
values are being handed over to another (ignorant) agent for
re-interpretation. HTML is just one of many such cases. It makes
absolutely no sense to pick one potential destination environment as
the critical target for data "sanitization". This point is made
clearly evident by considering the fact that the requirements for
protecting user-supplied strings from misinterpretation by an
HTML/XML parser are completely different from those necessary to
protect against Javascript misinterpretation.
Data sanitization is a *presentation* problem, not an input problem.
There may of course be guidelines about what certain particular input
fields look like; obviously an ampersand is inappropriate in a phone
number. But whenever I use a bank website written by clearly
incompetent contractors that disallows my use of ampersands in
"secure messages" to customer support, I'm reminded of how rare it is
that this truism is misunderstood (or not understood at all) in the
web application development community.
Thus, Niklolaos, I think you're absolutely wrong. That does not mean
that I think you're a bad person. Indeed, from your many posts on
this mailing list, you seem like a wonderful man. I ask simply that
you consider the fundamental nature of the problem. If I want to
submit a "description" for some data entry, and my description
includes angle brackets and ampersands, why would you disallow that?
It's my comment or description, after all. I may have a very good
reason to use those characters. The fact that they're HTML
metacharacters is probably completely unknown to your typical user.
They see the characters on the keyboard, and they feel entitled to
use them. That's perfectly reasonable.
On Wed, Oct 27, 2010 at 8:13 PM, Rick Grashel <rgras...@gmail.com
<mailto:rgras...@gmail.com>> wrote:
>
> I would recommend rea...
--
Turtle, turtle, on the ground,
Pink and shiny, turn around.
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America
contest
Create new apps & games for the Nokia N8 for consumers in U.S. and
Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in
marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
<mailto:Stripes-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/stripes-users
------------------------------------------------------------------------
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
------------------------------------------------------------------------
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
--
Nikolaos Giannopoulos
Director of Information Technology
BrightMinds Software Inc.
e. nikol...@brightminds.org
w. www.brightminds.org
t. 1.613.822.1700
c. 1.613.797.0036
f. 1.613.822.1915
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
