|
|
|
|
|
|
by raganwald
4549 days ago
|
|
|
The examples seem to be based on the premise that web apps commonly forgo the simple escaping of quotes, and instead implement a complex parsing and analysis of user input as code to identify malicious statements, which can be defeated as long as you obfuscate enough. He gives an example of such a system. The larger issue is that the premise behind the design of web browsers is itself flawed with respect to displaying user content. As long as it is acceptable to execute JavaScript that is embedded directly in a web page (such as within script tags or as the target of an HREF), and as long as you are also trying to display user-supplied content, security is going to be extremely fragile. We are perpetually one careless oversight away from pwnage, and we are vulnerable to mistakes that might creep into our libraries as well as into our own code. |
|
|