[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RE: Error and Fatal Error
This is a classic example of "SQL Injection" although in this case its "XML Injection". Just Google it and you'll see its not specific to XML or SQL or anything else. It's a core problem of software that all engineers need to handle. Any time you allow an 'end user' to 'inject' data into a programming or markup language or pretty much anything you need to escape or sanitize it. That's just the way it is. Ignore this and you're asking for trouble. Or worse, your asking for *disaster*. If you don't ... the BEST that can happen is a syntax error. Yes that's GOOD. Syntax errors are a good thing. They mean you screwed up. But they don't happen all the time. A clever person can avoid the syntax errors and inject really nasty things ... That's really bad. The WORSE that can happen is invisible unintended data or code injection. You should be praying thanks to the XML parser Gods for rejecting this bad data rather than passing it along blindly and "fixing" it. Atleast it catches the unintentional mistakes and highlights your code bugs that will not be exposed by a truly malicious hacker. If you want to pass through user data un- sanitized, please send me the URL so I can add a few million$ to my bank account or whatever the site allows but doesn't intend. If you want magic to happen that always does the 'right thing' (citation needed) in software and reads the minds of the programmer's intent instead of what you actually told the computer to do your either in the wrong field or the wrong century. ---------------------------------------- David A. Lee dlee@calldei.com http://www.xmlsh.org -----Original Message----- From: Jim Melton [mailto:jim.melton@oracle.com] Sent: Wednesday, August 10, 2011 8:35 PM To: stephengreenubl@gmail.com Cc: Toby.Considine@gmail.com; xml-dev@l... Subject: Re: Error and Fatal Error Stephen, At 7/18/2011 01:14 PM, Stephen D Green wrote: >The problem is that there are tags in the strings - it is XML. >System.Security.SecurityElement.Escape and HtmlEncode would change the >angle brackets in the tags too. I suggest that you've failed to accept what many have been telling you: The presence of angle brackets around sequences of certain characters might create "tags", but that does not make it XML. "XML" is a well-defined language. Claiming that text such as; <elem attr="<"&<Bob"/> is XML doesn't make it so. There are explicit rules in the definition of the language XML that prohibit attribute values containing <, &, and the quoting character itself unless they are properly "escaped". Violation of those rules means that the text doesn't meet the definition of XML. Would you, for example, expect a C processor to process this text properly: switch (flag] { ... ) even though the right square bracket was pretty "obviously" supposed to be a right parenthesis and the right parenthesis a right curly brace? I haven't encountered a C processor that would make those corrections -- they all seem to report syntax errors and expect me to make the corrections. I don't find that unreasonable. I'm no longer a software developer (although I was for many, many years), and yet I've been able to write fairly simple code in a couple of different languages that pseudo-parses input text that claims to be XML, locates certain aberrations that my application typically produces (e.g., & and < in what were intended to be attribute values, -- in what were intended to be comments), and corrects those specific errors (e.g., replacement with character references and insertion of a space between the hyphens). Full parsing is rarely needed, depending on the precise errors that you intend to fix. I'm sure that you can do the same without significant overhead. Hope this helps, Jim ======================================================================== Jim Melton --- Editor of ISO/IEC 9075-* (SQL) Phone: +1.801.942.0144 Chair, ISO/IEC JTC1/SC32 and W3C XML Query WG Fax : +1.801.942.3345 Oracle Corporation Oracle Email: jim dot melton at oracle dot com 1930 Viscounti Drive Alternate email: jim dot melton at acm dot org Sandy, UT 84093-1063 USA Personal email: SheltieJim at xmission dot com ======================================================================== = Facts are facts. But any opinions expressed are the opinions = = only of myself and may or may not reflect the opinions of anybody = = else with whom I may or may not have discussed the issues at hand. = ======================================================================== _______________________________________________________________________ XML-DEV is a publicly archived, unmoderated list hosted by OASIS to support XML implementation and development. To minimize spam in the archives, you must subscribe before posting. [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ Or unsubscribe: xml-dev-unsubscribe@lists.xml.org subscribe: xml-dev-subscribe@lists.xml.org List archive: http://lists.xml.org/archives/xml-dev/ List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|