Secure Coding mailing list archives
Some Interesting Topics arising from the SANS/CWE Top 25
From: fw at deneb.enyo.de (Florian Weimer)
Date: Wed, 14 Jan 2009 20:55:38 +0100
* Steven M. Christey:
Yet smart people insist that it's still input validation, even when presented with the example I gave. So So what's the perspective difference that's causing the disconnect?
Some technologies are designed as if to discourage proper output encoding. Most templating engines (native PHP, Perl variable interpolation, JSP, Template::Toolkit, StringTemplate) discard the distinction between literal strings in the template, and substitution variables. In many cases, there's little support for composing reusable, parameterized templates from other templates, and you have to fall back to the host language and plain string concatenation instead to create such abstractions. This means that it appears rather costly to do proper output encoding, especially in legacy systems. And input encoding looks very easy to do (at least until you discover more and more potential input paths). But I suspect that the culture of input validation is partly responsible for the difficulty of addressing cross-site scripting issues. 8-( (There's also a rather nasty potential explanation: input validation sells web firewalls and related services, output encoding does not.)
Current thread:
- Some Interesting Topics arising from the SANS/CWE Top 25, (continued)
- Some Interesting Topics arising from the SANS/CWE Top 25 Greg Beeley (Jan 13)
- Some Interesting Topics arising from the SANS/CWE Top 25 Johan Peeters (Jan 13)
- Some Interesting Topics arising from the SANS/CWE Top 25 Florian Weimer (Jan 14)
- Some Interesting Topics arising from the SANS/CWE Top 25 Johan Peeters (Jan 14)
- Some Interesting Topics arising from the SANS/CWE Top 25 Johan Peeters (Jan 13)
- Some Interesting Topics arising from the SANS/CWE Top 25 Steven M. Christey (Jan 14)
- Some Interesting Topics arising from the SANS/CWE Top 25 Ivan Ristic (Jan 14)
- Some Interesting Topics arising from the SANS/CWE Top 25 Jim Manico (Jan 14)
- Some Interesting Topics arising from the SANS/CWE Top 25 Brian Chess (Jan 14)
- Some Interesting Topics arising from the SANS/CWE Top 25 Ivan Ristic (Jan 15)
- Some Interesting Topics arising from the SANS/CWE Top 25 Greg Beeley (Jan 13)
- Some Interesting Topics arising from the SANS/CWE Top 25 Joe Teff (Jan 15)