Full Disclosure mailing list archives
Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website.
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Thu, 15 Jul 2004 12:10:10 -0400
Nick FitzGerald wrote:
I'm not sure I'd call it a *very* bad idea... it's better than silently finishing incomplete tags.Nope -- _VERY_ bad idea.
Well, yeah, and that's always going to be the case no matter what you do. Let's at least make it so that non-idiot users don't get their feet blown off regardless.Idiot users want to blow both their feet off.Asking them "do you want a chance to blow your feet off?" only slows the inevitable slightly, never prevents it.
The correct solution to all such problems is simply to reject the content as malformed. And guess what will happen when you do that? Several really crappy web design products will disappear because the folk using them will drop them because no-one can see their pages _and_ the rest will suddenly become very inetrested in producing properly compliant content, as they should have been from the outset.Yeah - that's probably a better idea. It's garbage data if it's malformed. Dropping it is far better.
-Barry _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Seth Alan Woolley (Jul 14)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Barry Fitzgerald (Jul 15)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Nick FitzGerald (Jul 15)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Barry Fitzgerald (Jul 15)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Seth Alan Woolley (Jul 15)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Nick FitzGerald (Jul 15)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Seth Alan Woolley (Jul 15)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Nick FitzGerald (Jul 15)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Barry Fitzgerald (Jul 15)
- Re: Exploits in websites due to buggy input validation where mozilla is at fault as well as the website. Seth Alan Woolley (Jul 15)