> I just do not agree with the idea that if all are doing it, there must be some deep truth beneath.
Hypothetically, lets say you design a system that, for every legitimate 1000 users accessing it, 999 fail to understand it enough to gain their legitimate access.
Would you still be comfortable telling the people that paid for the system that it's not the system that's wrong, but the users?
That is for sure a broken system. I would not feel comfortable telling users they are wrong, even if the numbers were 10 out of 1000 or less. But we might be talking about different things. I gave the example of developers building a hopefully secure system, not users using it. If your point is that developers are users of languages, and that 1 in 1000 succeeds in building a secure system, then indeed languages are broken. But are you really arguing against input sanitization?
I'm not arguing against input sanitisation, I'm just arguing (rather poorly, it seems) that if the majority of folks are skipping some security feature, then the feature is not well enough designed.
I'm for input sanitisation, I'm against having it optional and left up the the developer.
Typing on a phone makes me unnecessarily brief, apologies.
Hypothetically, lets say you design a system that, for every legitimate 1000 users accessing it, 999 fail to understand it enough to gain their legitimate access.
Would you still be comfortable telling the people that paid for the system that it's not the system that's wrong, but the users?