Re: CROSS SITE-SCRIPTING Protection with PHP

["Sverre H. Huseby" <shh () thathost com>]

[Rob Shein]

|   The problem with this scheme is that it requires that the browser be
|   party to the security.  What about a blackhat using netcat?  Bye-bye to
|   whatever security functionality was built into the browser, and all
|   protection contained therein.

I'm talking strictly server-side here.  I'm not asking for a different
browser.  I'm talking about how the server builds pages that it will
send to the browser.  How it will build queries that is passed to a
database and so on.

We cannot change the clients, but we can change the server
architecture.  Scrap all existing web programming environments and
create a new one that:

  * Avoids cross site scripting by making it impossible for the
    programmer to programmatically place markup on the output stream.
    Everything written to the output stream will be automatically HTML
    encoded.  We will of course need some smart template system in
    order to merge the displayed data into some pre-defined markup.
    And yes, I realise that markup sometimes depends on the data to
    display, but smart system designers will propably be able to deal
    with that problem.

  * Avoids SQL Injection by making it impossible to build SQL queries
    using string concatenation and similar that requires the
    programmer to remember handling quotes, non-numeric characters and
    other constructs.

  * Avoids Shell Command Injection by having no constructs that make
    it possible to unknowingly pass user input to the shell.

And so on.  Build a web development platform on which it is impossible
to make the common mistakes.


Sverre.

-- 
shh () thathost com             Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/        http://nerdquiz.thathost.com/