Hi Dave,
On 3/16/07, Dave Newton <[EMAIL PROTECTED]> wrote:
--- Leon Rosenberg wrote:
> And even with an rdbms, have you ever tried to
> update like 1.000.000 rows of an in production db
> under traffic?
Stuff like that happens all the time, although I tend
to do such things at low-traffic times or on a
replicated DB (yeah, moving it back takes time too,
but that's data for ya').
but its much more expensive and complicated as code change, which, at
least in a jsp, can usually be performed without any implications.
Changing a data in the db usually requires some downtime or you have
to run a java programm which changes the data via public interfaces
(so the caches and pojos/ejbs whatever components remain in consistent
state), which are usually not designed for such mass data access.
If the traffic is that high then running it through
that huge regexp on each output will be expensive too.
> First of all the user data remain untouched. This
> could have some legal issues.
If that's a huge problem, then duplicate the data; one
raw, one filtered.
> Than, encoding is cheaper as regexp. Much cheaper.
> And you have to encode anyway, since you want to
> deliver valid html, wan't you?
Encoding? Not if you want the HTML to contain markup,
which was what the OP said.
Hmm, the OP said:
I am trying to find a best solution to prevent Cross site scripting attacks.
Nothing about markup. Allowing the user to inject HTML markup in your
pages is the road to hell anyway.
But hey, feel free to email me the urls of the sites which allow
markup, we will find some "other" usage for them.
> 2. Avoiding DOS exposition since filtering,
> especially with regexp, is very expensive.
If you need to remove only specific (X)HTML element
*attributes* it's going to be expensive anyway. It's
cheaper to do it once
Markup aside, normally <bean:write ... filter="true"/> (which is
default) eliminates 99% of XSS vulnerability (at least all of it I
found here: http://ha.ckers.org/xss.html)
and is pretty cheap.
regards
Leon
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
