[Mod-security-developers] Proposal on html form protection [Second attempt]
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[Mod-security-developers] Proposal on html form protection [Second attempt]
|
From: Carles B. <cbo...@is...> - 2006-07-27 10:11:32
|
Hi Ivan, Next step in our road-map of improving mod_security is to add some protection to html forms. Attached to this mail I've set an initial proposal of our ideas of some ways of achieving html forms security. It would be great if you could check this ideas out and share your comments/ideas as you kindly did back when we discussed about cookie management. We've been also working on a first approach to comment removal. As far as it goes we're having some issues trying to manage tricky situations where non-standard markup can fool libxml and so fool our comment stripping cod= e, but for the very standard case this new feature is almost coded and teste= d. By the way, I would like to congratulate you for the work you've done on latest 2.0 version. It is really a huge rewrite that has brought so much clarity and readability to ms code, in addition to all new features and t= he ones to come due to brand new ms internal structure. Last but not least, we expect to be able to port/merge our contributions = to 2.x branch as soon as I'm back from my holidays and form protection is coded and tested. Best Regards. PD : Attached documents are text and html version of the proposal. I've started to use ReStructuredText to write our internal documentation. It allows you to write documentation in simple txt with minor and almost invisible markup (basically the usual space/tab/cr markup used in ordinary text), b= ut provides you a set of tools that let you "export"/transform this "source" text files to html/latex/pdf. I've found all that very useful because it all l= et you focus on important things not losing so much time in writing. It also allows you to store versioned documentation and access/modify it with the only help of a simple text-capable editor. If you're interested, check it out = at http://docutils.sourceforge.net/rst.html --=20 _________________________________ Carles Bonamusa P=E9rez Ingeniero de Software Dpto. Desarrollo de Soluciones cbo...@is... Internet Security Auditors, S.L. c. Santander, 101. Edif. A. 2=BA 1=AA 08030 Barcelona Tel: 93 305 13 18 Fax: 93 278 22 48 www.isecauditors.com ____________________________________ Este mensaje y los documentos que, en su caso lleve anexos, pueden contener informaci=F3n confidencial. Por ello, se informa a quien lo reciba por error que la informaci=F3n contenida en el mismo es reservada y su uso no autorizado est=E1 prohibido legalmente, por lo que en tal caso le rogamos que nos lo comunique por la misma v=EDa o por tel=E9fono (93 305 13 18), se abstenga de realizar copias del mensaje o remitirlo o entregarlo a otra persona y proceda a borrarlo de inmediato. En cumplimiento de la Ley Org=E1nica 15/1999 de 13 de diciembre de protecci=F3n de datos de car=E1cter personal, Internet Security Auditors S.L., le informa de que sus datos personales se han incluido en ficheros informatizados titularidad de Internet Security Auditors S.L., que ser=E1 el =FAnico destinatario de dichos datos, y cuya finalida= d exclusiva es la gesti=F3n de clientes y acciones de comunicaci=F3n comercial, y de que tiene la posibilidad de ejercer los derechos de acceso, rectificaci=F3n, cancelaci=F3n y oposici=F3n previstos en la ley mediante carta dirigida a Internet Security Auditors, c. Santander, 101. Edif. A. 2=BA 1=AA, 08030 Barcelona, o v=EDa e-mail a la siguiente direcci=F3n de correo: le...@is... |
