HTML Cleaner "Spermicide"

[crschmidt]

While we could discuss forever that HttpOnly isn't a complete solution for all
attack instances, that's not what matters. It's like saying, "Well, condoms
don't _always_ work, so let's just not use anything!" HttpOnly does work most
of the time, especially for stopping what our HTML/CSS spermicide doesn't.

-- Brad, https://bugzilla.mozilla.org/show_bug.cgi?id=178993#c49

Comments

[alacrity.livejournal.com]

The problem with that kind of analogy is that in this case your "sperm" is a live human attacker who can adapt and work around the instances where it does work. It's not so much a bad argument, just a bad analogy, that might mistakenly lead one to believe that the problem is solved "well enough." It isn't. More solutions should be pursued, and one should not be taken in by a false sense of security.

That sentiment is generally the reason behind arguments against impartial solutions -- a false sense of security can sometimes be worse than no security at all.

[crschmidt.livejournal.com]

I just thought the analogy was funny. ;)

[alacrity.livejournal.com]

Well yes, there is that. ;-)

[nostrademons.livejournal.com]

Well, the real solution would be to not allow any freeform HTML codes - if something goes in as text, it comes out WYSIWYG, including angle brackets galore. Somehow, I don't think this would be terribly popular with users.

I wouldn't be surprised if LJ and other sites started moving to WYSIWYG HTML editors eventually though, and invented some sort of AJAX drag 'n drop for layouts. The only way to really get secure is to constrain what your users can do to some known set, rather than trying to filter out known attacks. Kinda a pain for users and site admins though, and not the way most programmers are used to programming.

'Sides, then the hackers would just switch to MySpace. AFAIK that's even less secure than LJ, because they have more places for freeform entry and less validation. Broken HTML seems really common on MySpace layouts.