undefined | Better HN

0 pointsandersonmvd10y ago0 comments

Some programming styles are not defensive from a security perspective. As a programmer one should acknowledge that using "render" passing a param right from the request, without validating it, is not a good thing, right? That's my point. Some issues here can be solved just by taking the right approach, but won't solve for all of them, of course. XSS mitigation works better with encoding rather than sanitization. If you want me to explain I explain.

But hey, you won't do any good complaining in face of this situation. Time to help people fix it. Peace.

0 comments

Alex391710y ago

I mean ideally you should 1) strip tags 2) encode 3) use X-XSS headers 4) use CSP headers. That way if any one of these fails, the others will catch it.

That said, there still shouldn't be security holes in the framework.

minitech10y ago

Stripping tags before encoding is security theatre. Encoding is just replacing 2–4 characters; if it’s not implemented properly, there’s no way tag stripping is.

andersonmvdOP10y ago

Well said, I agree.

j / k navigate · click thread line to collapse