Secure Coding mailing list archives
Survey
From: jim at manico.net (Jim Manico)
Date: Tue, 26 Aug 2008 11:06:21 -1000
Making a very complex Ajax rich-client web applications perfectly xHTML valid is not easy. Most of the enterprise world goes way beyond simple flat file xHTML. Add in (the real reality of) highly database-drive dynamically generated javascript/ajax heavy pages, and I continue to conjecture that perfect xHTML is not only not that important but very difficult to accomplish. Or at least it's not "simple" as you state below. Heck, who is to say that you can't accomplish XSS or other client-side attacks and still be xHTML compliant? I think you would go a lot further in securing your apps if you got programmers to html entity encode output data, actually do access control right, encode data on the server side to prevent injection attacks, etc. Sure the WAF world would like xHTML - but we do not live in a perfect world. Most sites are not xHTML compliant in the enterprise. - Jim
At 9:12 AM -1000 8/26/08, Jim Manico wrote:How does xHTML help stop access control vulnerabilities? Authorization issues? CSRF problems?It is indicative of the caliber of the people who built the site. My immediate interest is that validation combats browser crashes. I am not interested in dealing with people who cannot get the simple things right.
-- Jim Manico, Senior Application Security Engineer jim.manico at aspectsecurity.com | jim at manico.net (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security? Securing your applications at the source http://www.aspectsecurity.com --------------------------------------------------------------- Management, Developers, Security Professionals ... ... can only result in one thing. BETTER SECURITY. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20080826/4a400937/attachment.html
Current thread:
- Survey Gary McGraw (Aug 22)
- Message not available
- Survey ljknews (Aug 24)
- Survey Romain Gaucher (Aug 26)
- <Possible follow-ups>
- Survey Gary McGraw (Aug 24)