[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Php why must your apps suck so?



On 10/24/07, Toshio Kuratomi <a badger gmail com> wrote:
> Paulo Santos wrote:
> > Drupal + SELinux + mod_security ?!
> >
> It looks like the combination of SELinux and mod_security will cover the
>    range of exploits as long as we have policy that covers all the
> approaches in both SELinux and mod_security.  I have some misgivings
> about running software that I know is going to need third party tools to
>   enforce security rather than having the extra checks be part of
> defense in depth but it seems that that would work.
>
> And in answer to the subject, "Php why must your apps suck so?" the
> unfortunate answer is that it's built into the language.  <?php $USERVAR
> ?> and <?php echo $USERVER ?> are inherently bad because they don't html
> escape $USERVAR yet it is the method used by practically all php code to
> output variables to the page.
>
> Many Python web frameworks address this issue in the framework by
> automatically html escaping any variable which is displayed in the
> template.  Notably, kid and genshi (the template languages we're using
> for our TG deployments) work this way.  PHP, on the other hand, makes
> constant vigilance necessary.

Perhaps it's possible to help mitigate any non-escaped output by
developing (or using) whatever themes need to be developed for a
Drupal install using smarty ? quite a few of the themes do use smarty.

--
Craig

> -Toshio
>
> _______________________________________________
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]