Re: [Pas-dev] more on generic DB session obj
Status: Beta
Brought to you by:
mortis
Menu
▾
▴
Re: [Pas-dev] more on generic DB session obj
|
From: Mental <me...@ne...> - 2002-05-17 20:30:40
|
On Fri, 2002-05-17 at 15:48, Kyle R . Burton wrote: > > Any questions? Does this sound good? Can I take a chain saw to it? I'll at > > least get this working for MySQL in the near future. Other implementations > > shouldn't be hard. > > It sounds good so far, I just want to talk about it some more until I feel > comfortable about it. talk talk talk. you always wanna carry on about something. :) I think we should all get together again and hash some stuff out. There's been several good ideas today. How bout monday? I'll get a case of delerium and we'll figure stuff out. Evidently offering good belgian ale makes everyone clear their day planers and actually show up :) Tomorrow I'm going to the Scottish Games with the family, sunday I have cleared for movie stuff. That all said, dig this crap: http://www.neverlight.com/pas/css.psp?foo=%3Cscript%3Ealert('oops')%3C/script%3E in one round of botched hackery, none of my pages are vulnerable to CSS attacks that use the <script tag. :) Happy day. Now to make it not look like hell. Once I'm happy with implementation details, I'll merge it into the main pas tree. Right now, I'm doing everything in RequestHandler. We can break it out easily as I wrote my own inspect-the-request-and-break-it methods. I'm just not sure what the best way to go is. Should I make the config file the place where you specify what package RequestHandler should use to purify data? If I do that, should we support stacked (specialized) handlers? I dunno. Maybe I'm over engineering. I just wish I was more devious. I'm pretty much just wandering around security focus for no-brainer scripts to throw at the code. So I'm not at all sure how bullet proof this will be. Oh, and I'm not at all sure I know all the tricks you can do to sneak the tags past. Like script... it has to look like <script> or < script> or whatever... right? Like, there cant be anything between the word script and the closing bracket, right? so like.. <script name> isnt the same thing. Sorry if this is dumb, but I think I'm down to one brain cell today. Anybody wanna help a brother out? -- Mental (Me...@Ne...) |
