[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Support of kepler, sputnik, etc and security risks
- From: Florian Weimer <fw@...>
- Date: Wed, 21 Oct 2009 21:25:20 +0200
* Yuri Takhteyev:
> While XSS attacks are almost always based on browser bugs,
Not true. Most of them are caused by templating engines which do not
differentiate between template contents and externally supplied data
at the type level. (This does not need a static type system, a
dynamic type system is completely sufficient.)
It's actually fairly easy to patch existing templating frameworks to
implement this, but you may lose tool support along the way. And if
the template framework does not support the moral equivalent of
subroutines, the changes are not backwards-compatible.
- References:
- Support of kepler, sputnik, etc and security risks, Fernando P. García
- Re: Support of kepler, sputnik, etc and security risks, Jim Whitehead II
- Re: Support of kepler, sputnik, etc and security risks, David Given
- Re: Support of kepler, sputnik, etc and security risks, Petite Abeille
- Re: Support of kepler, sputnik, etc and security risks, Jim Whitehead II
- Re: Support of kepler, sputnik, etc and security risks, Fernando P. García
- Re: Support of kepler, sputnik, etc and security risks, Bertrand Mansion
- Re: Support of kepler, sputnik, etc and security risks, Yuri Takhteyev
