One of the reasons that Java became so popular was that it was new during a time that business was making enormous investments in IT. That time has passed, and business is less likely to invest in new languages, tools, etc, regardless of their merits.
Re:Wolves in Sheep's Clothing
on
Spying On Tor
·
· Score: 3, Interesting
As the article has repeated, if you're interested in security it seems you really ought to apply your own encryption on top of TOR.
However, even if you do that are you truly anonymous? Is there any way to determine both ends of a conversation (either email or sessions)?
There's no way to guarantee that your communications over TOR are anonymous, and they're pretty upfront about that in the documentation. It's pretty easy for a government (or just about anybody, really) to add enough nodes to TOR to have a reasonable likelihood of being all three nodes in your conversation (entrance, middle, and exit). The nodes need to be geographically distributed, but that's easy for governments and easier for hackers, who have access to botnets of machines all over the world. Once they've got enough nodes out there, it's pretty easy to tell who's sending all that traffic, and where it's going.
Again, adding encryption helps keep your data from being sniffed (as long as you know you're not hit by MITM, see other comments about PKI), but TOR doesn't protect your anonymity against a sophisticated (and reasonably well-funded) attacker.
Those would count as taxable income based on the value of the shares, and would probably put him into a the 35% bracket. Still, it sounds like it turned out okay for him.
Wrong. In fact, a whole lotta people in ESR's situation ended up with stocks that were worth less than their strike price (the price they paid to exercise their options and buy the shares) by the time their lockout ended. The IRS still wanted its money though.
Imagine ESR had options on 100,000 shares at $10/share. On IPO day say he exercises his option to buy the shares. Now he has to cough up $1,000,000 to the brokerage to buy them. Of course, the shares are worth a bunch more than $10, so the brokerage takes its million bucks in shares. ESR ends up with somewhat less than 100,000 shares, depending on the value of the shares at the instant the brokerage took its cut. ESR has now sold some of his shares in spite of the lockout (this is legal), and owes the IRS a ton of capital gains tax on his 1999 return.
For the truly unlucky whose shares were worth more than our hypothetical $10 by the time the lockout ended, they were truly up a creek: the owed the IRS a huge bill for exercising shares that were worth less by the time they could sell. IIRC there was an amnesty for those caught up in the mess.
Part of the problem is that the sysadmin job is somewhat reactive (like the plumber who responds to problems), somewhat preventative (like the security guard keeping the bad guys out), and somewhat prescriptive (like the carpenter adding on another 20000 SF of building). Try to divide the general role into these different categories and come up with metrics for each. Coming up with a single metric will be nearly impossible because of the diversity of the responsibilities of the job.
Find other jobs that have similar, "preventing the negative" jobs. How would you measure the security guard's efficacy?
I'm not talking about changing the license on an existing piece of software, or changing the GPL at all. I'm talking about controlling what body can release it's own "new" version of the GPL and how that control is maintained.
Not trolling here, but what's to keep somebody from coming up with a license called GNU Public License v4, defining their own wicked terms along with it, and picking up all the GNU software with the "or later" clause in it?
Does the FSF have the trademark on GNU Public License? What is the third party called it something else, but declared it to be a newer version of the GNU Public License?
I don't think you know what a hostile takeover is. I suspect the primary developer would consider the takeover quite friendly, since he has both cash in his pocket and a new job, in exchange for seeing his software continue under GPL v2 (the license he was using anyway). So Apple doesn't like GPLv3? I imagine a lot of companies that sell proprietary software (and use FOSS along with it) don't. That's pretty understandable.
Amen to that. I live in the Twin Cities, which as luck would have it is a great place to be in IT. We have 22 of the Fortune 500 headquartered here, and it's pretty easy to make good money if you have solid technical as well as interpersonal skills. I've looked into going coastal, but it's pretty unlikely. Schools here are great, COL is low, and it's easy to get to either coast by plane. The weather is not so great, but oh well.
Make smart choices in your life, and take ownership of the dumb ones. Me, I live in a big house (probably bigger than I need: not a great choice, but one I can live with). I take the bus to work most days (which helps offset the cost of the house), I keep my energy bills low, don't eat out too often, and sock money away for retirement, education, etc. before thinking of spending it on vacations, et al. On the whole, I'm pretty happy. Not without worries, not without bad days, but that's all part of being alive. When I started learning to focus on the important stuff (for me that's my family) and get the other stuff out of the way as quickly as possible, I became a lot happier.
One of the things I sometimes worry about is whether or not IT (specifically software engineering) is going to take me to retirement. I've already gone through several major career changes after seventeen years as a professional, and I hope that if software doesn't support me all the way (the market is less interested in s/w engineering), that whatever I end up doing is at least as stimulating. And that my mortgage is paid off first.
We're all going to end up dead soon, make sure you're enjoying the journey you're on. If not, make a change (that's where this story got started, right?). If you live in the US, you probably have that opportunity; it's one of the reasons it's a great place to live.
Nobody actually pays those rates, since tax credits, deductions, and exemptions all make the numbers go way, way down. The Fed credits you for all taxes you pay to States and municipalities, itemize your deductions (incl mortgage interest on your home), FICA caps out after $89,500, etc. Using 401K, VUL, IRA, etc. you can defer your tax burden until you're retired, and end up paying way, way less since after retirement most people are in a pretty low bracket. There are a ton of ways to dodge the burden at the high end.
On the other end of the scale, people who make $25,000/year pay very little in taxes, particularly if they have children. There's just no way to make it happen. Unfortunately the folks on the low end usually pay more than they should, because they often don't know the ins and outs of dodging the burden at the low end (different techniques than at the high end, obviously, but still present).
In any case, nobody pays close to 65% in the US. Not even 50%.
You said: Its really quite simple: The USA taxes away (state local and federal) about 65% of the income of its workers.
Huh? I'm married, in the top federal tax bracket (AMT, thanks so much), living in a high-tax state (Minnesota) with a spendy house in a high-property-tax county. I don't spend anywhere near 65% of my income on taxes, not even close to 30%. Folks I know who make less than I do (i.e., not in top tax bracket) pay less of a percentage than I do. What are you smoking?
A US BS graduate has an investment of about $300,000 of Tax Cost before they graduate. This has to be repaid.
Also, what fiction are you using to come up with a $300K tax cost? To get a student through K-12 in my high-tax state (funds education at a higher level than almost anyone, my municipality is in the top 1%) costs the taxpayers about $84,000. How is it that you think that a BS costs the state (not counting tuition which is paid in after-tax dollars, mind you) the other $216,000?
The iChat server uses XMPP (Jabber), so yes, there's a ton of Windows client support. I was wondering if the iChat server has gateways to other systems like AIM and Yahoo, but I haven't bothered to check.
To everybody posting the obligatory "IE Sucks at CSS", while I agree with the sentiment, my own IE experiences got much less painful (and this goes for Firefox too) when I learned how the browsers tell between "quirks mode" (where rendering with CSS is a true crapshoot) and "standards compliance mode" (where rendering with CSS is... somewhat less of a crapshoot).
If your DOCTYPE tag at the start of your HTML starts with something like: [!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd"] (in angle brackets, thanks Slashdot!)
Then IE/FF will render it in a fairly similar way. If you don't include the URI of the DOCTYPE ("http://www.w3.org/TR/html4/strict.dtd", above) then you're stuck in quirks mode hell.
I think this is a lot like the question, "Why do we drive gasoline cars?" or, "Why do we use IPv4?"
There's just a ton of infrastructure built on x86/gas/IPv4, and even though there are alternatives that are arguably better, the infrastructure just isn't there.
--- This post encrypted in ROT-26. Any attempts to read this post are in violation of the DMCA.
Here in Minnesota we use the hand-marked optical scan system, and it's great. There's a high degree of confidence that your vote actually counts for something. That, coupled with a mandated recount in a random sampling of districts in each county after the election.
Please mod up the parent. ADA makes life better for the rest of us w/o disabilities, by increasing the productivity of those living with them. When you amortize the initial expense of accommodating disabilities over any reasonable length of time I'd be willing to bet the gain for society exceeds the cost.
BTW I think the reason most businesses in Europe have a step up at the entrance is to reduce damage from minor flooding, not aesthetics, but I could be wrong.
These 3G wireless services are all locked down by the telecom companies. I just bought a phone from T-Mobile that purports to support Java applications, and I have a data plan. However, it turns out that T-Mobile locks out Java applications that T-Mobile did not itself distribute. I cannot use the new Mobile Google Mail application, nor can I use Google Maps on my phone. It's not because the phone does not support it, but because T-Mobile has decided that it can enforce vendor lock-in with DRM'd Java apps.
Not on my T-Mobile Blackberry Pearl 8100 they're not. Mobile Google Mail works fine, as does Google Maps (a fantastic app, BTW).
If you hang onto your T-Mobile account for 90 days, they'll unlock your phone for you at no cost, allowing you to switch to another provider.
I ran Linux at home to manage my domain for several years. I had email (Postfix/Cyrus/SA/ClamAV), web (Apache, DAV), ssh, the usual stuff. I eventually ditched it all because I was tired of manually updating everything (since my version of Redhat wasn't supported any more), and upgrading to a new distro is tantamount to re-installing from the ground up, and re-configuring the whole thing because all the files are in slightly different directories now. I won't even go into the frustrations of getting wireless or VPN working (I never did).
Eventually I dropped the whole thing and moved to Google's Hosted Domains. I've never been happier: I don't have to focus all my time updating software, tweaking settings, doing routine maintenance, and generally being an expert in an enormous number of tools. Now I can spend that time with my family instead. Does GHD have all the options (DAV), or as good of Spam filtering as my heavily tweaked Postfix/Postgrey/Amavis/ClamAV/SpamAssassin? Nope. But the trade-off is definitely worth it.
I'm not (as one poster put it) stupid or lazy or ignorant. I've been a professional developer for decades. I learned all the tools and how to configure them. But what an enormous amount of time sunk into it. I'm much happier letting somebody else worry about all that crap now.
The point is that people want solutions to their problems, not operating systems.
Has the tech market improved so much that working on a prominent website is no longer enough to attract the best talent?
Umm, working on a prominent website was never attractive to me, nor anyone else I have heard of with "the best talent." Getting paid the most for my services is, provided the intangibles are taken care of. But the prominence of the product figures pretty low on my list, unless my compensation is linked to its success (e.g., stock).
Well, recently it came to the attention the authorities that a number of companies where granting stock options and (either immediatly or later) backdating them to a date when the stock price was low (ie, it was as if the options had been granted at a date when the stock price was lower, and thus the exercise price on the option was said low price from the chosen date).
This is illegal.
No, it's not. It's only illegal if you fail to disclose the backdated grants to your shareholders. If you disclose it correctly, it's legal under current SEC regulations.
No, you won't. Libraries (at least in the US) don't keep your checkout information once the book has been returned, to avoid exactly this situation. I just contacted my local library to help my wife find a book she had checked out and read but could no longer remember the title. They verified that they don't keep that information, in large part to avoid uncomfortable and expensive litigation with government subpoenas.
You're entirely missing the point. My application doesn't trust any data coming in from the browser. That's why I don't inline any data from the browser directly into HTML. I do careful checks of length, type, semantics, authorization, entitlement, etc on every property of every object in every graph that's passed to the application server. But one thing I don't need to worry about is somebody sending up text with a tag (or anything else) inside a string. Any text given is stored as text, and is rendered by the text rendering part of the browser, not the HTML renderer. Not ever. I've thoroughly tested the marshaller, and every single escape is handled correctly. Even if some idiotic browser out there didn't handle escapes correctly, it wouldn't be able to parse the XML stream coming back from the application server, and wouldn't pass a unit test. Not that I'm responsible for bugs in some idiotic browser, but even IE handles it correctly.
It seems you think I was saying that I blindly take whatever XML comes into my application and act on it. I'm not; that would be bad. I would assume that anyone who's written a distributed application has already figured that one out. I'm saying that by not inlining user's text into my HTML, I've prevented a whole class of attacks that apparently (by the article) many web developers don't understand.
While I'm on my soapbox, let me expand the conversation a bit into how poorly designed many single sign-on systems are. The client I'm working with has a typical SSO system in place using SiteMinder. Users log in once, and they're authenticated to every application they can access. They never need to log in again. If ANY application to which they have access has an XSS attack waged against it, EVERY application is compromised, since the users identity is known only through a couple of SiteMinder cookies. The sad part is, almost every application in the company is vulnerable. I checked.
So even though I've been a good steward of painstakingly checking all my end-user inputs, my application can easily be compromised by this boneheaded architecture. Yippee!
That's my point. I don't need to assume that everything is coming down correctly. The browser will encode the data for me. If the XML that comes down from the appserver is invalid, then it's not a valid document and won't parse, so my code fails. If a user submitted text that is JavaScript, the browser escapes the characters for me, and the user sees the text.
I'd be a fool if I received HTML fragments from the appserver, and those fragments were partially user-generated content, and those were unescaped. But I'm not doing that. I'm also not a fool.
Slashdot Mirror
How is this a troll?
"Chick" is sexist. You're supposed to spell it "chyck."
You need to be 16 at some point in 2008. If she was born 9/30/92 she's eligible, even though she's 15 now.
One of the reasons that Java became so popular was that it was new during a time that business was making enormous investments in IT. That time has passed, and business is less likely to invest in new languages, tools, etc, regardless of their merits.
As the article has repeated, if you're interested in security it seems you really ought to apply your own encryption on top of TOR.
However, even if you do that are you truly anonymous? Is there any way to determine both ends of a conversation (either email or sessions)?
There's no way to guarantee that your communications over TOR are anonymous, and they're pretty upfront about that in the documentation. It's pretty easy for a government (or just about anybody, really) to add enough nodes to TOR to have a reasonable likelihood of being all three nodes in your conversation (entrance, middle, and exit). The nodes need to be geographically distributed, but that's easy for governments and easier for hackers, who have access to botnets of machines all over the world. Once they've got enough nodes out there, it's pretty easy to tell who's sending all that traffic, and where it's going.
Again, adding encryption helps keep your data from being sniffed (as long as you know you're not hit by MITM, see other comments about PKI), but TOR doesn't protect your anonymity against a sophisticated (and reasonably well-funded) attacker.
Those would count as taxable income based on the value of the shares, and would probably put him into a the 35% bracket. Still, it sounds like it turned out okay for him.
Wrong. In fact, a whole lotta people in ESR's situation ended up with stocks that were worth less than their strike price (the price they paid to exercise their options and buy the shares) by the time their lockout ended. The IRS still wanted its money though.
Imagine ESR had options on 100,000 shares at $10/share. On IPO day say he exercises his option to buy the shares. Now he has to cough up $1,000,000 to the brokerage to buy them. Of course, the shares are worth a bunch more than $10, so the brokerage takes its million bucks in shares. ESR ends up with somewhat less than 100,000 shares, depending on the value of the shares at the instant the brokerage took its cut. ESR has now sold some of his shares in spite of the lockout (this is legal), and owes the IRS a ton of capital gains tax on his 1999 return.
For the truly unlucky whose shares were worth more than our hypothetical $10 by the time the lockout ended, they were truly up a creek: the owed the IRS a huge bill for exercising shares that were worth less by the time they could sell. IIRC there was an amnesty for those caught up in the mess.
Part of the problem is that the sysadmin job is somewhat reactive (like the plumber who responds to problems), somewhat preventative (like the security guard keeping the bad guys out), and somewhat prescriptive (like the carpenter adding on another 20000 SF of building). Try to divide the general role into these different categories and come up with metrics for each. Coming up with a single metric will be nearly impossible because of the diversity of the responsibilities of the job.
Find other jobs that have similar, "preventing the negative" jobs. How would you measure the security guard's efficacy?
I'm not talking about changing the license on an existing piece of software, or changing the GPL at all. I'm talking about controlling what body can release it's own "new" version of the GPL and how that control is maintained.
Not trolling here, but what's to keep somebody from coming up with a license called GNU Public License v4, defining their own wicked terms along with it, and picking up all the GNU software with the "or later" clause in it?
Does the FSF have the trademark on GNU Public License? What is the third party called it something else, but declared it to be a newer version of the GNU Public License?
Apple did a hostile takeover of CUPS.
I don't think you know what a hostile takeover is. I suspect the primary developer would consider the takeover quite friendly, since he has both cash in his pocket and a new job, in exchange for seeing his software continue under GPL v2 (the license he was using anyway). So Apple doesn't like GPLv3? I imagine a lot of companies that sell proprietary software (and use FOSS along with it) don't. That's pretty understandable.
Amen to that. I live in the Twin Cities, which as luck would have it is a great place to be in IT. We have 22 of the Fortune 500 headquartered here, and it's pretty easy to make good money if you have solid technical as well as interpersonal skills. I've looked into going coastal, but it's pretty unlikely. Schools here are great, COL is low, and it's easy to get to either coast by plane. The weather is not so great, but oh well.
Make smart choices in your life, and take ownership of the dumb ones. Me, I live in a big house (probably bigger than I need: not a great choice, but one I can live with). I take the bus to work most days (which helps offset the cost of the house), I keep my energy bills low, don't eat out too often, and sock money away for retirement, education, etc. before thinking of spending it on vacations, et al. On the whole, I'm pretty happy. Not without worries, not without bad days, but that's all part of being alive. When I started learning to focus on the important stuff (for me that's my family) and get the other stuff out of the way as quickly as possible, I became a lot happier.
One of the things I sometimes worry about is whether or not IT (specifically software engineering) is going to take me to retirement. I've already gone through several major career changes after seventeen years as a professional, and I hope that if software doesn't support me all the way (the market is less interested in s/w engineering), that whatever I end up doing is at least as stimulating. And that my mortgage is paid off first.
We're all going to end up dead soon, make sure you're enjoying the journey you're on. If not, make a change (that's where this story got started, right?). If you live in the US, you probably have that opportunity; it's one of the reasons it's a great place to live.
You're obviously not filling out a tax form.
Nobody actually pays those rates, since tax credits, deductions, and exemptions all make the numbers go way, way down. The Fed credits you for all taxes you pay to States and municipalities, itemize your deductions (incl mortgage interest on your home), FICA caps out after $89,500, etc. Using 401K, VUL, IRA, etc. you can defer your tax burden until you're retired, and end up paying way, way less since after retirement most people are in a pretty low bracket. There are a ton of ways to dodge the burden at the high end.
On the other end of the scale, people who make $25,000/year pay very little in taxes, particularly if they have children. There's just no way to make it happen. Unfortunately the folks on the low end usually pay more than they should, because they often don't know the ins and outs of dodging the burden at the low end (different techniques than at the high end, obviously, but still present).
In any case, nobody pays close to 65% in the US. Not even 50%.
You said:
Its really quite simple: The USA taxes away (state local and federal) about 65% of the income of its workers.
Huh? I'm married, in the top federal tax bracket (AMT, thanks so much), living in a high-tax state (Minnesota) with a spendy house in a high-property-tax county. I don't spend anywhere near 65% of my income on taxes, not even close to 30%. Folks I know who make less than I do (i.e., not in top tax bracket) pay less of a percentage than I do. What are you smoking?
A US BS graduate has an investment of about $300,000 of Tax Cost before they graduate. This has to be repaid.
Also, what fiction are you using to come up with a $300K tax cost? To get a student through K-12 in my high-tax state (funds education at a higher level than almost anyone, my municipality is in the top 1%) costs the taxpayers about $84,000. How is it that you think that a BS costs the state (not counting tuition which is paid in after-tax dollars, mind you) the other $216,000?
The iChat server uses XMPP (Jabber), so yes, there's a ton of Windows client support. I was wondering if the iChat server has gateways to other systems like AIM and Yahoo, but I haven't bothered to check.
To everybody posting the obligatory "IE Sucks at CSS", while I agree with the sentiment, my own IE experiences got much less painful (and this goes for Firefox too) when I learned how the browsers tell between "quirks mode" (where rendering with CSS is a true crapshoot) and "standards compliance mode" (where rendering with CSS is... somewhat less of a crapshoot).
If your DOCTYPE tag at the start of your HTML starts with something like:
[!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd"] (in angle brackets, thanks Slashdot!)
Then IE/FF will render it in a fairly similar way. If you don't include the URI of the DOCTYPE ("http://www.w3.org/TR/html4/strict.dtd", above) then you're stuck in quirks mode hell.
That said, IE still sucks at CSS.
I think this is a lot like the question, "Why do we drive gasoline cars?" or, "Why do we use IPv4?"
There's just a ton of infrastructure built on x86/gas/IPv4, and even though there are alternatives that are arguably better, the infrastructure just isn't there.
---
This post encrypted in ROT-26. Any attempts to read this post are in violation of the DMCA.
Here in Minnesota we use the hand-marked optical scan system, and it's great. There's a high degree of confidence that your vote actually counts for something. That, coupled with a mandated recount in a random sampling of districts in each county after the election.
Please mod up the parent. ADA makes life better for the rest of us w/o disabilities, by increasing the productivity of those living with them. When you amortize the initial expense of accommodating disabilities over any reasonable length of time I'd be willing to bet the gain for society exceeds the cost.
BTW I think the reason most businesses in Europe have a step up at the entrance is to reduce damage from minor flooding, not aesthetics, but I could be wrong.
These 3G wireless services are all locked down by the telecom companies. I just bought a phone from T-Mobile that purports to support Java applications, and I have a data plan. However, it turns out that T-Mobile locks out Java applications that T-Mobile did not itself distribute. I cannot use the new Mobile Google Mail application, nor can I use Google Maps on my phone. It's not because the phone does not support it, but because T-Mobile has decided that it can enforce vendor lock-in with DRM'd Java apps.
Not on my T-Mobile Blackberry Pearl 8100 they're not. Mobile Google Mail works fine, as does Google Maps (a fantastic app, BTW).
If you hang onto your T-Mobile account for 90 days, they'll unlock your phone for you at no cost, allowing you to switch to another provider.
I ran Linux at home to manage my domain for several years. I had email (Postfix/Cyrus/SA/ClamAV), web (Apache, DAV), ssh, the usual stuff. I eventually ditched it all because I was tired of manually updating everything (since my version of Redhat wasn't supported any more), and upgrading to a new distro is tantamount to re-installing from the ground up, and re-configuring the whole thing because all the files are in slightly different directories now. I won't even go into the frustrations of getting wireless or VPN working (I never did).
Eventually I dropped the whole thing and moved to Google's Hosted Domains. I've never been happier: I don't have to focus all my time updating software, tweaking settings, doing routine maintenance, and generally being an expert in an enormous number of tools. Now I can spend that time with my family instead. Does GHD have all the options (DAV), or as good of Spam filtering as my heavily tweaked Postfix/Postgrey/Amavis/ClamAV/SpamAssassin? Nope. But the trade-off is definitely worth it.
I'm not (as one poster put it) stupid or lazy or ignorant. I've been a professional developer for decades. I learned all the tools and how to configure them. But what an enormous amount of time sunk into it. I'm much happier letting somebody else worry about all that crap now.
The point is that people want solutions to their problems, not operating systems.
Has the tech market improved so much that working on a prominent website is no longer enough to attract the best talent?
Umm, working on a prominent website was never attractive to me, nor anyone else I have heard of with "the best talent." Getting paid the most for my services is, provided the intangibles are taken care of. But the prominence of the product figures pretty low on my list, unless my compensation is linked to its success (e.g., stock).
Well, recently it came to the attention the authorities that a number of companies where granting stock options and (either immediatly or later) backdating them to a date when the stock price was low (ie, it was as if the options had been granted at a date when the stock price was lower, and thus the exercise price on the option was said low price from the chosen date).
This is illegal.
No, it's not. It's only illegal if you fail to disclose the backdated grants to your shareholders. If you disclose it correctly, it's legal under current SEC regulations.
No, you won't. Libraries (at least in the US) don't keep your checkout information once the book has been returned, to avoid exactly this situation. I just contacted my local library to help my wife find a book she had checked out and read but could no longer remember the title. They verified that they don't keep that information, in large part to avoid uncomfortable and expensive litigation with government subpoenas.
You're entirely missing the point. My application doesn't trust any data coming in from the browser. That's why I don't inline any data from the browser directly into HTML. I do careful checks of length, type, semantics, authorization, entitlement, etc on every property of every object in every graph that's passed to the application server. But one thing I don't need to worry about is somebody sending up text with a tag (or anything else) inside a string. Any text given is stored as text, and is rendered by the text rendering part of the browser, not the HTML renderer. Not ever. I've thoroughly tested the marshaller, and every single escape is handled correctly. Even if some idiotic browser out there didn't handle escapes correctly, it wouldn't be able to parse the XML stream coming back from the application server, and wouldn't pass a unit test. Not that I'm responsible for bugs in some idiotic browser, but even IE handles it correctly.
It seems you think I was saying that I blindly take whatever XML comes into my application and act on it. I'm not; that would be bad. I would assume that anyone who's written a distributed application has already figured that one out. I'm saying that by not inlining user's text into my HTML, I've prevented a whole class of attacks that apparently (by the article) many web developers don't understand.
While I'm on my soapbox, let me expand the conversation a bit into how poorly designed many single sign-on systems are. The client I'm working with has a typical SSO system in place using SiteMinder. Users log in once, and they're authenticated to every application they can access. They never need to log in again. If ANY application to which they have access has an XSS attack waged against it, EVERY application is compromised, since the users identity is known only through a couple of SiteMinder cookies. The sad part is, almost every application in the company is vulnerable. I checked.
So even though I've been a good steward of painstakingly checking all my end-user inputs, my application can easily be compromised by this boneheaded architecture. Yippee!
That's my point. I don't need to assume that everything is coming down correctly. The browser will encode the data for me. If the XML that comes down from the appserver is invalid, then it's not a valid document and won't parse, so my code fails. If a user submitted text that is JavaScript, the browser escapes the characters for me, and the user sees the text.
I'd be a fool if I received HTML fragments from the appserver, and those fragments were partially user-generated content, and those were unescaped. But I'm not doing that. I'm also not a fool.