The Underscore Archives

On Wed, 5 Dec 2007, Jan Grant wrote:

> On Wed, 5 Dec 2007, Jan Grant wrote:
> 
> > Better, perhaps, to go back to the original issue and tackle it from 
> > another angle: fix the <%= foo %> construct (if you MUST use it) to do 
> > the right thing, and provide a suitable support mechanism for emitting 
> > output that mucks with the structure of the output.
> 
> OK, that's actually a relatively small "fix" to jasper. Let me see if I 
> can find a webapp that actually uses the <%= %> construct and see how 
> badly that breaks it.

Last piece of code I had that used this is a year old. Ironically, my 
naive escaping left me with some double-escaped text in a bunch of 
widgets :-) Might revisit this to make it smarter.

Mulling this over over lunch, I think the underlying phenomenon with 
both sql injection and various flavours of xss is that the coder expects 
to emit content; what gets emitted is structure. String interpolation, 
the <%= %> constructs just make this very easy to achieve.

Rather than fixing the language, the approach should really be to fix 
the framework: make it easy (the default) to escape things properly. We 
have a decent fix for this with sql in prepared statements (php's random 
backslash-scattering junk is an attempt at the wrong fix, trying to 
make string interpolation for sql construction safe). JSF, ZPT, 
and other templating systems offer better approaches for dealing with 
the web output.

I think componentisation is the trick, because a bug in a component 
that's used all over the place only needs fixing once. The trouble with 
the script-amongst-the-markup systems is that each instance of an error 
needs tracking down and fixing.

Cheers (and thanks for the thought-provoking question),
jan


-- 
jan grant, ISYS, University of Bristol. http://www.bris.ac.uk/
Tel +44 (0)117 3317661   http://ioctl.org/jan/
Lambda calculus? I hardly know 'er!