[_] PHP accelerators
Daniel Hilton
daniel.hilton at gmail.com
Wed Dec 5 14:01:32 GMT 2007
On 05/12/2007, Jan Grant <jan.grant at bristol.ac.uk> wrote: > On Wed, 5 Dec 2007, Jan Grant wrote: > > > On Wed, 5 Dec 2007, Jan Grant wrote: > > > > > Better, perhaps, to go back to the original issue and tackle it from > > > another angle: fix the <%= foo %> construct (if you MUST use it) to do > > > the right thing, and provide a suitable support mechanism for emitting > > > output that mucks with the structure of the output. > > > > OK, that's actually a relatively small "fix" to jasper. Let me see if I > > can find a webapp that actually uses the <%= %> construct and see how > > badly that breaks it. > > Last piece of code I had that used this is a year old. Ironically, my > naive escaping left me with some double-escaped text in a bunch of > widgets :-) Might revisit this to make it smarter. > > Mulling this over over lunch, I think the underlying phenomenon with > both sql injection and various flavours of xss is that the coder expects > to emit content; what gets emitted is structure. String interpolation, > the <%= %> constructs just make this very easy to achieve. > > Rather than fixing the language, the approach should really be to fix > the framework: make it easy (the default) to escape things properly. We > have a decent fix for this with sql in prepared statements (php's random > backslash-scattering junk is an attempt at the wrong fix, trying to > make string interpolation for sql construction safe). JSF, ZPT, > and other templating systems offer better approaches for dealing with > the web output. > > I think componentisation is the trick, because a bug in a component > that's used all over the place only needs fixing once. The trouble with > the script-amongst-the-markup systems is that each instance of an error > needs tracking down and fixing. One of the interesting things that saw at barcamplondon3 was a talk by Ben Laurie (he of Apache) on caja, a javascript capability implementation. http://code.google.com/p/google-caja/ It's how google are doing widgets basically. And it's clever. -- Dan Hilton ============================ DanHilton.co.uk ============================