<< Some of them do, some probably don't | and also, consumers return to pizza after trying out the new Nauruan place down the block a couple times >>

[esc]1GAvi, the web, HTML, script, and content[esc]

Thursday, 11 September 2008 15:39 by kevin

(hint: á a vi keystroke sequence)

Just a sort of random thought that's been brewing in the back of my mind for a while, and exacerbated by playing with the editor built into this blog: it's a bad thing that we need to sanitize user inputs to make sure they're not malicious HTML or script. It's a bad thing that thousands of projects and millions of web developers have to even think about this. It's an unconscionable drag on productivity.

Possible solutions:

1) create a post-spammer, post-troll utopia where no one even wants to enter malicious text into the entry boxes.

2) differentiate markup and code from content.

Considering the amount of work that's gone into the Web as we know it, #2's not a likely option, so we're stuck with #1.

Seriously, I'm sure somebody could come up with a reason why this wouldn't work, or would be counterproductive -- it literally is something I just thought of -- but it seems to me there ought to be a better way. If it wasn't clear from the title, my model is vi. (For the uninitiated) it centers on a very basic idea: different modes for commands and content. Typing "G" in text mode gives you the letter "G". Hitting "G" in command mode brings you to the bottom of the file/buffer. "4x" in command mode will delete the next 4 characters after your current cursor location. There are many keystrokes that will put you into text mode, but only one (AFAIK) that will put you into command mode (ESC).

So, wouldn't it be nice if you could count on a "<script>SendInfoToEvilPerson(document.cookie)</script>" rendering as text content, and not executing as a script? Should this really be so hard? Discuss.

Update: Ugh. Tags: "Vi" and "Xss"? (I typed in "vi,XSS") Ugh. I mean, I like case-insensitivity as much as the next guy, but saying that searching for "VI" should return a match with "vi" isn't the same as saying that any rendering of these terms is as good as any other (if you click the tags, you'll see that the URL has them in all lower case, which would honestly be much better than "proper case" for both of these terms). Kind of weird, coming from a blogging tool by programmers, and probably mostly for programmers.

Be the first to rate this post

Currently 0/5 Stars.
1
2
3
4
5

Tags:		vi, xss
Categories:		Dev Theory \| Rants
Actions:		E-mail \| del.icio.us \| Permalink \| Comments (2) \| Comment RSS

Developer Jargon With some amusement and a good chunk of confusion, I've been following the ongoing debate betw...Who Are You?We are developers. What kind of developers we are depends on who you are. If you want u...The Myth of OOTB (Part 1-The Rant) Author/Editor Note: Originally, I thought this post would stand on its own. But after reading it a...

Comments

December 1. 2008 15:27

I thought var newstring = oldstring.Replace("<", "<").Replace(">",">"); was for making <script>SendInfoToEvilPerson(document.cookie)</script> display as a string and not a command.

vi does not store your commands in the stream of text and replay them everytime you open the file. It simply stores the result as a plain text file. So you could use a different mode for content and commands, but the end result is still just content. It's then the browser that determines how to render the content.

So really, you need a custom input, and custom output control. The input control would need to save the entire stream of data, text and commands, and the output control would need to replay those commands inline and then display the content portions and not the code portions.

Unless I'm getting your point wrong. Which is possible.

Bryan

December 1. 2008 17:44

But part of the issue I'm talking about is the fact that you have a solution for that one case. You've thought about this. I've thought about it a lot. 100 million programmers around the world have spent millions of person-years on this issue, when it seems to me -- though I haven't specced out any kind of solution, by any means -- that it should be possible for browsers and servers to divide code and content. Yes, that's probably contrary to the whole idea of "markup". I guess the idea that's gradually forming in my head now is that maybe it would be better to sacrifice the convenience of markup -- the interspersing of content and code, in a common character set -- to get rid of the incredible inconvenience of sanitizing and unsanitizing. All the conversions. Blech.

This post is actually (in current form) a prime example. In, the first line, I put in an up-arrow in WingDings. I posted the post and it looked fine. I edited the post, and at some point, my WingDing up arrow, which is just the WingDing glyph for the ANSI character "á", got converted into "á", so now it's rendering as "á" (I hope these characters come through correctly in this comment box). I don't know whether BlogEngine.NET did it, whether TinyMCE did it, whether it was Opera, or Firefox, or IE. But somehow it got converted, and while I can probably fix it, I don't know how to keep it from happening again, because there are too many places where people have written specific code to deal with specific cases like this.

I don't know; maybe the post needs some major rewriting. I'm using vi only as an example of a different model of stream processing. I'm not following what you mean with the input and output control stuff -- are you talking specifically about ASP.NET? Because I'm not, not at all.

I don't expect that this is a new idea. As I mentioned (in IM) a couple weeks ago, with the Case of the Already-Invented Light Bulb, nearly every only mildly-complicated idea I have is either being done already, or is not going to be done. So this idea is almost certainly something that's been explored and rejected. Whether it's been rejected because it's truly an unworkable or plain old bad idea, or because it's just not good enough to merit throwing out the entire World Wide Web, is what I'm not sure of right now.

kevin

[esc]1GAvi, the web, HTML, script, and content[esc]

Related posts

Comments

Search

Tags

Categories

Archive

Blogroll

Disclaimer