Some Interesting Topics arising from the SANS/CWE Top 25

[fw at deneb.enyo.de (Florian Weimer)]

* Steven M. Christey:

>    Yet smart people insist that it's still input validation, even
>    when presented with the example I gave.  So So what's the
>    perspective difference that's causing the disconnect?

Some technologies are designed as if to discourage proper output
encoding.  Most templating engines (native PHP, Perl variable
interpolation, JSP, Template::Toolkit, StringTemplate) discard the
distinction between literal strings in the template, and substitution
variables.  In many cases, there's little support for composing
reusable, parameterized templates from other templates, and you have
to fall back to the host language and plain string concatenation
instead to create such abstractions.  This means that it appears
rather costly to do proper output encoding, especially in legacy
systems.  And input encoding looks very easy to do (at least until you
discover more and more potential input paths).

But I suspect that the culture of input validation is partly
responsible for the difficulty of addressing cross-site scripting
issues. 8-(

(There's also a rather nasty potential explanation: input validation
sells web firewalls and related services, output encoding does not.)