PHP - security etc
Andy Armstrong
andy at hexten.net
Wed Mar 7 21:43:28 GMT 2007
On 7 Mar 2007, at 21:14, Tim Sweetman wrote:
> The natural tendency will be to use the default thing, whether from
> inexperience, carelessness, or trying to do fifteen other things at
> once. If the default thing puts escaping on, then your markup
> doesn't work. This is immediately (or almost immediately) evident,
> and gets fixed.
>
> If the default thing puts escaping off, nothing happens for ages,
> until your work is live, and then it gets pwn3d.
>
> Escaping on by default is the right behaviour for templating
> systems for web apps.
Maybe so - but as soon as they discover that echo "<h1>$title</h1>"
doesn't do what they expected they'll find out how to turn off
escaping and won't bother to escape the title.
Additionally they'll probably read that "HTML escaping is turned on
by default to help avoid XSS vulnerabilities" and assume that they're
somehow indemnified from having to think about it as a result.
--
Andy Armstrong, hexten.net
More information about the london.pm
mailing list