开发者

Possible to have compiler support (type safety) for avoiding double encoding for anti-XSS during Web development?

开发者 https://www.devze.com 2023-01-19 00:10 出处:网络
Is it possible to have compiler support to enforce the cleanup of data (XSS encoding)? This question got me thinking about double encoding and the other times when encoding is needed.Seems like i开发

Is it possible to have compiler support to enforce the cleanup of data (XSS encoding)?

This question got me thinking about double encoding and the other times when encoding is needed. Seems like i开发者_如何学编程t would work great for Linq, but possibly I may need this feature in other scenarios as well.

Microsoft AntiXSS - Is there a need to Decode?


Yes, given a type system than is expressive and powerful enough, this is indeed possible.

Ur/Web, for example, is a web application framework written in the Ur programming language, in which several interesting properties are guaranteed by the type system:

  • there cannot be dead links (within the application)
  • it is impossible to generate invalid HTML
  • it is impossible to have XSS attacks
  • SQL injection is impossible
  • form fields always have a corresponding server-side handler
  • AJAX calls always have a corresponding server-side handler
  • the types of client-side form fields, server-side handlers and database tables match up
  • ... a lot more ...

Adam Chlipala, the author of Ur and Ur/Web gave a talk about it at the Emerging Languages Camp 2010.

There are also some web frameworks in Haskell, OCaml and Scala that (try to) do (some of) that. Their type systems are powerful enough to guarantee at least some of those properties. There are type-safe embeddings of SQL into Haskell, for example, or an HTML templating language in OCaml that doesn't allow the user to generate invalid HTML.


At the point of re-presentation, that is a UI concern, as only the UI knows what the target is (and thus the appropriate encoding). So I'm not sure how you could do this at the language level -or at LINQ (being a data-access component). However; in ASP.NET MVC2 the MvcHtmlString (which is intended to represent a safe html string) goes some way to providing this, along with the new <%:foo%> syntax, which automatically encodes as necessary, but without double-encoding.

0

精彩评论

暂无评论...
验证码 换一张
取 消