More information about the Underscore mailing list

[_] PHP accelerators

Jan Grant jan.grant at bristol.ac.uk
Wed Dec 5 12:18:55 GMT 2007 

On Wed, 5 Dec 2007, Richard Davey wrote:

> Hi Jan,
> 
> Wednesday, December 5, 2007, 11:04:10 AM, you wrote:
> 
> > The downside is you're still running PHP; application-level
> > injection and xss bugs are still ten a penny. That's just a
> > reflection of the typical* PHP programmer's carelessness**.
> 
> Last time I checked JSP was just as vulnerable to developer
> carelessness, I've seen more than my fair share of XSS vulnerability
> announcements relating to apps built with it.
> 
> Is there ANY language out there that a suitably inept developer can't
> bring to its knees?

Agreed, raw JSP is akin to any of the other script-embedded-in-html 
systems - prone to problems, that typically stem from the <%= expr %> 
construct just chucking characters into a char stream. <%= foo %> is the 
xSP moral equivalent of string interpolation*.

Whilst the various tag libraries (and JSF and stuff of that ilk) are 
much better in this regard, what you're really after is something that 
supports a rich type system that can carry the notion of safety (and 
what that means) with values - something like taint checking on 
steroids. In conjunction with an appropriate ORM you could potentially 
roundtrip that marking through the serialisation process.

As a language, java doesn't really help here: you can't effectively 
annotate the basic types without the resulting language being (not 
java). Might be able to build something on top of javascript 2, but 
that's pretty much because it's scheme :-) Of mainstream languages, you 
could perhaps put this capability into python, but it'd represent a huge 
effort.

Better, perhaps, to go back to the original issue and tackle it from 
another angle: fix the <%= foo %> construct (if you MUST use it) to do 
the right thing, and provide a suitable support mechanism for emitting 
output that mucks with the structure of the output.

Hm, food for thought.
jan

* I'm sure everyone knows by now how I feel about that misbegotten 
abfeature.

-- 
jan grant, ISYS, University of Bristol. http://www.bris.ac.uk/
Tel +44 (0)117 3317661   http://ioctl.org/jan/
Spreadsheet through network. Oh yeah.