- From: Kornel Lesinski <kornel@geekhood.net>
- Date: Mon, 25 Jan 2010 23:03:27 -0000
- To: "Michal Zalewski" <lcamtuf@coredump.cx>
- Cc: "public-html@w3.org" <public-html@w3.org>
On Mon, 25 Jan 2010 19:51:33 -0000, Michal Zalewski <lcamtuf@coredump.cx> wrote: > If you have the intent to display user-controlled input, you have three > options: > > <span>[server-sanitized string]</span> > <iframe srcdoc="[server-escaped string]"></iframe> > <span guard=[token]>[any string]</span guard=[token]> > > The first two options will not immediately fail if you forget about or > mess up escaping or sanitization - and people to, all the time. The > last option just works, unless you purposefully sabotage your code by > using "1234", or can't generate a random number / session token on > server side (in which case, you are hosed already - session cookies > can be guessed, too). The last option strikes me as a bit less > error-prone. Not quite. In PHP (and many other web frameworks) sessions tokens are generated automatically, so bad programmers may get secure sessions, but generate insecure guard tokens. I'm afraid that some authors will simply hardcode "random" token in their templates (as in http://xkcd.com/221/ :) Also, <span guard> has no safe backwards-compatibility at all. Isn't that a deal-breaker? -- regards, Kornel LesiĆski
Received on Monday, 25 January 2010 23:04:19 UTC