Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Don't trust any data that comes from outside your app (urls, querystrings, http request headers, databases, files) and you'll be right.

Perl's Taint Mode enforces this automatically. Don't know if any other languages have it? http://www.webreference.com/programming/perl/taint/



I don't think taint mode is helpful for this. All data comes from outside of your program, but you somehow still have to display it. As we've seen recently, this is hard to get right. Escaping HTML is one thing, but what if you want to let a user type in a URL? Make sure to exclude javascript: URLs. Even if you whitelist only "http://... URLs, how do you know that a browser bug won't allow an attacker to inject JavaScript, compromising any account used by a user of that web browser?

Basically, web browsers need taint mode. The programming language that produces the web page is a whole other issue.


IIRC, Ruby lets you set taintedness Safe Levels with the -T command-line option or setting $SAFE per thread.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: