lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40F7459A.18136.1CA96D3E@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Exploits in websites due to buggy input
 validation where mozilla is at fault as well as the website.

Barry Fitzgerald wrote:

> I think that the best solution might be to display a dialogue box before 
> it tries to fix the tags stating that the page contains potentially 
> unsafe incomplete tags and asking whether the browser should repair them 
> or not.

Nope -- _VERY_ bad idea.

Idiot users want to blow both their feet off.

Asking them "do you want a chance to blow your feet off?" only slows 
the inevitable slightly, never prevents it.

The correct solution to all such problems is simply to reject the 
content as malformed.  And guess what will happen when you do that?  
Several really crappy web design products will disappear because the 
folk using them will drop them because no-one can see their pages _and_ 
the rest will suddenly become very inetrested in producing properly 
compliant content, as they should have been from the outset.

Playing "guess what the moron really meant" is a recipe for being 
screwed, so let's get over the previous "need" to "see it at all cost" 
and get some sense back into what folk are doing...


Regards,

Nick FitzGerald


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ