which clearly shows that you have no practical people experience
I do. Enough to know that most people behave totally different online. My words needs to be much more extreme to get the exact same meaning, to most people. I am, however, very careful that my words logically doesn't say anything different. It's only the way I say it.
And I'm repeating earlier points because you seem to not agree, yet still haven't really told me why. We are getting closer, you've told a bit about which situations you think escaping is not enough, but not so much why. I have agreed in some cases, but some are more about programming in general and not so much about XSS.
I'm sure noone else is reading this, and I strongly disagree that I was flaming, if that is what you are saying. I just responded to an "empty" comment in a language that was hard to ignore. People who post empty comments usually ignore everyone who doesn't agree.
If your first response had been "hey, I looked at that list of rules, and I don't see how they do anything for me that escaping won't solve", you'd have gotten a helpful response instantly.
If your first post had been a direct link to the list of rules, and the comment "here is a list of rules about what would not be solved by escaping, see rules number #, # and #.", that would essentially have been my reply. So please, tell me why. I'd love concrete examples.
...by advertising for a book? Yeah, we slashdotter really love that.
You don't seem to mind the other ones quite as much...
Huh??
What I "said" in that post added nothing to what was already there
You pointed out exactly what you where talking about. That's about the same difference as quoting something relevant from wikipedia, and just pointing to http://www.wikipedia.org/ and say "theres something relevant there". I'm not going to search for it (or pay for it as you suggested), when there's no reason for you not to be more specific.
So you're saying that it isn't healthy for a couple (married or not) to start a business together and grow it?
I'm saying "not many relationships can survive it" and that "it's probably not healthy". From this you can deduct that some relationships can survive it, and there is a (low) probability that it is not unhealthy. Of course some will beat these odds. Most won't, but that's how business is.
Had more people taken your advise, probably half of all businesses started as mom-and-pop concerns wouldn't have *been* started. How many mom-and-pop startups ended destroying the business, marriage or both? I'm not saying couple shouldn't start business together, just that it's dangerous.
But this is kind of off-topic. If a couple starts a small company, probably just the two of them in the beginning, I don't think they would need to fight a no-workplace-romance policy.:-)
No, I don't think so. You fouled it up at the start.
Uh, you are the one that made a comment that did not add anything to the discussion. How was your feedback? There was no further discussion. But when you finnaly actually said something, there was something to discuss. So who "fouled it up"? We won't agree on this one.
Yes, you got me riled enough to post that previous entry -- including my ad hominem -- but that's what you got for coming across as an idiot.
My point exactly. By... "acting the way I did", you finally said what you should have said from the beginning. This is a technical discussion, you need to get technical to add anything.
I don't see anything in your attitude to change that impression, and I expect that this post won't help your impression of me.
But still, again you are not adding to the discussion. Either you didn't learn anything, or you just dislike me too much to use what you learned. Doesn't matter much, the thread is fubar anyway.
Well, I guess that teaches me for trying to be helpful on Slashdot....by advertising for a book? Yeah, we slashdotter really love that. If you said what you said in your previous post, in the same post you linked to the book in, it wouldn't be such a pointless advertisement. It would be a relevant comment in the thread AND a good book reference. (Assuming it's a good book, of course.)
Trunk Space and racks: Yeah, they're great - if you go to one store. Go to two stores and you're f*cked. What are you going to do with the stuff from the first store? Leave it on the bike on the street? Bring the racks into the store? Before I got my car I went home after each store, spending half of every saturday shopping. With my car I'm done in an hour or so. I can even do it friday after work.
A/C and Sun: If you're going to work in the morning, the angle of the Sun... I don't know about you, but I also go home from work. And at that time the sun is very strong, very hot, and I really really prefer not to do hard work in it right after work.
A bike is great when it's practical. It just rarely is. Even if everything else works, the bike (my bike) is regularly flat, vandalised or stolen. I've had no such problems with my car.
Because some people (most probably) have a hard time leaving personal business at the door.
They shouldn't be working side by side in any case. Not many relationships can survive being together 24/7. And even if it does, it's probably still not healthy. But to the company, that's no different from two people that is just different in the wrong way. There's nothing special about to good employees that just doesn't work too well together. Just don't pair them, done.
Leaving personal business at the door can be difficult to some, no matter if their spouse is working the same place. This is just something adults are supposed to be able to handle. If it's really so bad that you cannot take care of your job, take a vacation or call in sick. Seriously. If you are not able to do your job because of a mental condition, you're ill, and you can take a sick-day.
Last point, what if one of them manages the other? This is the hardest one. Now not only the couple needs to be adults, everybody else does too. This should probably be avoided. Where I work, I think major descisions like raises and promotions needs at least two people. The direct manager makes a recommendation, and someone else makes the descision. Favoritism is probably only possible for small things. Small things that doesn't matter on a healthy workplace.
Unhealthy workplace: "Wow, she got a new chair very easy." - "That's just because her husband is her manager." Healthy workplace: "Wow, she got a new chair very easy." - "Is something wrong with your chair? Just get a new one too."
Yeah, that may be my point: A healthy workplace can handle it. And if someone isn't adult enough to do their job, it doesn't matter if their significant other works the same place. (A small workplace may not be able handle two people not being able to work close together, then the couple must make a choice, forced by employer or not.)
Rule 16: Do not massage invalid input to make it valid
Escaping invalid input can be an example of falling into this pit trap.
This is more a usability-issue than a security-issue. If it is properly escaped, it's harmless. But from a usability point of view, invalid data should normally be rejected. You could argue that "properly escaping" can fail, but so can validation. You should always escape correctly, and you should always know exactly how to do that.
Rule 22: Filter all data before including them in a web page, no matter the origin
Escaping won't help you here, either.
I agree that "filtering" must be done. If the input is plaintext, it should be converted to HTML before displayed on a web page. If the input is untrusted HTML, it is far more difficult.
Another thing that escaping won't catch, is input that is perfectly valid, but which in an underlying layer has different semantics. I believe the book mentions an example using VBscript, which IIRC is typeless. The incoming value might be okay for validation, but once it reaches has gone through the database layer and is returned to the VBscript layer again, it's harmful.
As data moves between software layers additional escaping may be needed. Typeless or weakly typed languages needs a bit more attention, but it's not that hard. For example PHP (I don't know VBscript):
function foo($bar) {
$bar = (int)$bar;... }
In PHP you cannot force type on the arguments. In this case I don't trust that $bar is an integer, so the first thing I do is to cast it. Now I know it's an integer. If the value cannot be casted to an integer, this will be bad. But if that is a possibility in a production environment, I will just have to handle it more elaborate.
If validated harmless data becomes harmful by going through the database layer, the database layer has a serious bug. This is normally something I would trust just works. When I create the database layer, I will of course take escaping very serious, as always.
In short: Remember to escape, and remember the weaknesses of the chosen language.
Rule 3: In a server-side context, there's no such thing as client-side security
You kind of chock me here. Are you serious? Of course you are. But this is so basic client/server that it hurts. Anything that comes from the internet is dangerous untill proven otherwise. The experiences programmers knows to identify and keep untrusted data from trusted data, and how to move from the first to the second.
So generally, I stick with what I said: Escape properly, and you're good to go (in regard to XSS). Including untrusted HTML on a web site may be the exception, that is quite difficult, depending on how advanced HTML is allowed.
In online discussions, that kind of statement basically means "you win, I have nothing but direct or indirect ad hominem to add".
I had nothing to add, because (as far as I'm concerned) you didn't add anything I could reply to. But now I've got exactly what I wanted, and now we're having an interesting discussion. You didn't need an entire book to make your point. If anybody doesn't understand what you said, they can now leave the discussion temporarily to study. Buy the book or otherwise, it's their choise.
And yes, my tone can be arrogant to some people, I'm sorry if I offended you. More subtle advise is too often ignored. This is one of those cases where I just do what works.
I recommend this not only to people new to web programming, but also to seasoned programmers. There's more than one time that I've heard people say "pfah, I know the pit traps, I don't need this book", and a few weeks later tell me that there were things there they hadn't thought about.
Translation: "This is sooo good I can't even explain what it is." Further translation: "This isn't really so good. If I just told you what it really is, you'd loose interest."
First you didn't even say that there was anything interesting on the books website, I assumed the link was for buying the book. But OK, I checked out the site.
Page 1: Advertisement, as expected. No real info. Page 2 (Excerpt from the Introduction): Blah blah Page 3 (Summary of rules chapter): This one I only read because it was the last one, I'm being really patient here, trying to find out what you are talking about. I didn't find anything relevant to the comment you replied to. Also, I didn't fint anything a seasoned programmer shouldn't know. I didn't find anything new, and I'm not very seasoned in making high-security websites. I haven't read any books about it, taken any classes or anything like that.
So either I was right when my internal warning lights started flashing, or I still don't know what your are talking about. Maybe you could just mention which of the rules you think would be relevant for preventing XSS (except escaping which I already suggested), or which of them you think is a surprice to a "seasoned programmer".
By the way, my first reply to you was really to teach you about discussing online, but since you are insisting so much that you do have an argument, I'm getting curious.
I'm pretty sure I've seen a version of the first episode where he says it, but it's not in the transcript:
FRY Why would a robot need to drink?
BENDER I don't need to drink, I can quit anytime I want! So they made you a delivery boy, huh? Man, that's as bad as my job.
I remember it as something like:
Fry: Why would a robot need to drink? Bender: I don't need to drink, I can quit anytime I want! Besides, it powers my fuels cells. Fry: What's the cigar for then? Bender: It makes me look cool. [smokes] So they made you a delivery boy, huh?
In the company I work in (danish company) more than 10% of the employees are married to each other. And we are hundres of employees, so I think there's enough statistical data to toy with.
What if office romances was not allowed here? Why shouldn't it be allowed, as long as they are not romancing in the office? I regularly see people coming to work holding hands, and people from different departmens eating together, and that's it. I don't see any problems here. (But if people here keep marrying each other (or hiring spouses), this could be a family business in a few generations...)
The topic is too large to cover in a comment on Slashdot.
I have made a very elaborate and ground breaking answer to your comment. It's too large to quote here, but you can read it in my reasonable priced book.
Seriously: I'm not asking you to cover it. Just mention it, in stead of asking us to buy a book. Give us a couple of keywords so we know what you're talking about, no need to cover it in detail. If we want the details we can buy the book. But I'm not going to buy a book because you say it some something that you think I don't know. That it not contributing to a discussion.
I'm working on a kind of intranet, which means 100% IE. When we discuss a big problem often someone says "we could solve this easily in Firefox" or "we could just switch to Firefox". Then we laugh. Then we get a sad look on our faces, and someone says "no really, what should we do?"
A while ago I heard that a really nice feature that the users wants was dropped, too expensive. It would cost thousands of kr (hundreds maybe thousands of dollars). A few minutes later I said "look, it's not that hard. I made this in two minutes including testing and debugging, and it works perfectly". Then someone said "yeah, but you tested in Firefox, right?" - "Oh..."
That is why you also turn " into " when it's inside double-quotes. This is the right solution, you just have to finetune it. It's not that hard, you just need to remember it every single time it should be done. It's the "remember" stuff that's hard.
Include turning & into &. Finally there's ' (') and you're done.
How many times have you filed something away so neatly that you can't find it hirearchically (is that even a word?) and have to resort to searching!?
Countless times. On a computer AND on paper. On a computer, so what? It's easy to search when needed. On paper? Now that really sucks. That's one reason I hate paper. Print it, and it's lost.
Oh, and that is true for "neatly organized" and "not organized at all" (AKA "huge pile"). Organizing just makes searching easier to avoid and easier to do.
Unfortunately, "not using paper" often means "using PDF". Well, at least they are searchable, and I can have an open window next to it.
they are saying that when viewing such a screen at 20", the human eye can detect *each* of the rgb pixels??
Yes, of course we can. Make one pixel stand out (white on black, or black on white) and it is very clearly visible.
It must also be one of the reasons why so many people don't like to read on a screen: The very low resolution. The letters just has so much more detail on print.
I also often notice the pattern in singlecolored areas on a screen. I'm not claiming I can see red, green and blue dots, but I can see that it's not just a flat color, without moving too close to the monitor.
Downloading a paid product is not a new thing. It has worked for software in years. I don't see why it shouldn't work for other kinds of data like movieclips and images.
Of course it's easier to share it with a few thousand closest friends on Internet when you don't have to rip it first. But is it really the ripping part that is hard? Isn't that the easiest part? Why is that so bold, as the summary says?
Slashdot Mirror
...while your wife sleeps and has sex in the bedroom?
Finally a comment on Slashdot so great I want to quote it. "Who wrote that?" someone says. I can only reply "Just Some Guy". :-/
Wow. The brain is without doubt the most interesting part of the (male) human body.
Yes. It made no sense at all. I read it like that multiple times thinking "which part did I read wrong?", assuming it was the last.
I do. Enough to know that most people behave totally different online. My words needs to be much more extreme to get the exact same meaning, to most people. I am, however, very careful that my words logically doesn't say anything different. It's only the way I say it.
And I'm repeating earlier points because you seem to not agree, yet still haven't really told me why. We are getting closer, you've told a bit about which situations you think escaping is not enough, but not so much why. I have agreed in some cases, but some are more about programming in general and not so much about XSS.
I'm sure noone else is reading this, and I strongly disagree that I was flaming, if that is what you are saying. I just responded to an "empty" comment in a language that was hard to ignore. People who post empty comments usually ignore everyone who doesn't agree.
If your first post had been a direct link to the list of rules, and the comment "here is a list of rules about what would not be solved by escaping, see rules number #, # and #.", that would essentially have been my reply. So please, tell me why. I'd love concrete examples.
Huh??
You pointed out exactly what you where talking about. That's about the same difference as quoting something relevant from wikipedia, and just pointing to http://www.wikipedia.org/ and say "theres something relevant there". I'm not going to search for it (or pay for it as you suggested), when there's no reason for you not to be more specific.
So you're saying that it isn't healthy for a couple (married or not) to start a business together and grow it?
:-)
I'm saying "not many relationships can survive it" and that "it's probably not healthy". From this you can deduct that some relationships can survive it, and there is a (low) probability that it is not unhealthy. Of course some will beat these odds. Most won't, but that's how business is.
Had more people taken your advise, probably half of all businesses started as mom-and-pop concerns wouldn't have *been* started.
How many mom-and-pop startups ended destroying the business, marriage or both? I'm not saying couple shouldn't start business together, just that it's dangerous.
But this is kind of off-topic. If a couple starts a small company, probably just the two of them in the beginning, I don't think they would need to fight a no-workplace-romance policy.
No, I don't think so. You fouled it up at the start. Uh, you are the one that made a comment that did not add anything to the discussion. How was your feedback? There was no further discussion. But when you finnaly actually said something, there was something to discuss. So who "fouled it up"? We won't agree on this one. Yes, you got me riled enough to post that previous entry -- including my ad hominem -- but that's what you got for coming across as an idiot. My point exactly. By ... "acting the way I did", you finally said what you should have said from the beginning. This is a technical discussion, you need to get technical to add anything.
I don't see anything in your attitude to change that impression, and I expect that this post won't help your impression of me.
But still, again you are not adding to the discussion. Either you didn't learn anything, or you just dislike me too much to use what you learned. Doesn't matter much, the thread is fubar anyway.
Well, I guess that teaches me for trying to be helpful on Slashdot. ...by advertising for a book? Yeah, we slashdotter really love that. If you said what you said in your previous post, in the same post you linked to the book in, it wouldn't be such a pointless advertisement. It would be a relevant comment in the thread AND a good book reference. (Assuming it's a good book, of course.)
Trunk Space and racks:
Yeah, they're great - if you go to one store. Go to two stores and you're f*cked. What are you going to do with the stuff from the first store? Leave it on the bike on the street? Bring the racks into the store?
Before I got my car I went home after each store, spending half of every saturday shopping. With my car I'm done in an hour or so. I can even do it friday after work.
A/C and Sun:
If you're going to work in the morning, the angle of the Sun... I don't know about you, but I also go home from work. And at that time the sun is very strong, very hot, and I really really prefer not to do hard work in it right after work.
A bike is great when it's practical. It just rarely is. Even if everything else works, the bike (my bike) is regularly flat, vandalised or stolen. I've had no such problems with my car.
Forget my previous post (parent), I was wrong. That is another episode, not sure which yet tho.
They shouldn't be working side by side in any case. Not many relationships can survive being together 24/7. And even if it does, it's probably still not healthy.
But to the company, that's no different from two people that is just different in the wrong way. There's nothing special about to good employees that just doesn't work too well together. Just don't pair them, done.
Leaving personal business at the door can be difficult to some, no matter if their spouse is working the same place. This is just something adults are supposed to be able to handle. If it's really so bad that you cannot take care of your job, take a vacation or call in sick. Seriously. If you are not able to do your job because of a mental condition, you're ill, and you can take a sick-day.
Last point, what if one of them manages the other? This is the hardest one. Now not only the couple needs to be adults, everybody else does too. This should probably be avoided. Where I work, I think major descisions like raises and promotions needs at least two people. The direct manager makes a recommendation, and someone else makes the descision. Favoritism is probably only possible for small things. Small things that doesn't matter on a healthy workplace.
Unhealthy workplace: "Wow, she got a new chair very easy." - "That's just because her husband is her manager."
Healthy workplace: "Wow, she got a new chair very easy." - "Is something wrong with your chair? Just get a new one too."
Yeah, that may be my point: A healthy workplace can handle it. And if someone isn't adult enough to do their job, it doesn't matter if their significant other works the same place. (A small workplace may not be able handle two people not being able to work close together, then the couple must make a choice, forced by employer or not.)
This is more a usability-issue than a security-issue. If it is properly escaped, it's harmless. But from a usability point of view, invalid data should normally be rejected.
You could argue that "properly escaping" can fail, but so can validation. You should always escape correctly, and you should always know exactly how to do that.
I agree that "filtering" must be done. If the input is plaintext, it should be converted to HTML before displayed on a web page. If the input is untrusted HTML, it is far more difficult.
As data moves between software layers additional escaping may be needed. Typeless or weakly typed languages needs a bit more attention, but it's not that hard. For example PHP (I don't know VBscript):
function foo($bar) {
$bar = (int)$bar;
}
In PHP you cannot force type on the arguments. In this case I don't trust that $bar is an integer, so the first thing I do is to cast it. Now I know it's an integer. If the value cannot be casted to an integer, this will be bad. But if that is a possibility in a production environment, I will just have to handle it more elaborate.
If validated harmless data becomes harmful by going through the database layer, the database layer has a serious bug. This is normally something I would trust just works. When I create the database layer, I will of course take escaping very serious, as always.
In short: Remember to escape, and remember the weaknesses of the chosen language.
You kind of chock me here. Are you serious? Of course you are. But this is so basic client/server that it hurts. Anything that comes from the internet is dangerous untill proven otherwise. The experiences programmers knows to identify and keep untrusted data from trusted data, and how to move from the first to the second.
So generally, I stick with what I said: Escape properly, and you're good to go (in regard to XSS). Including untrusted HTML on a web site may be the exception, that is quite difficult, depending on how advanced HTML is allowed.
I had nothing to add, because (as far as I'm concerned) you didn't add anything I could reply to. But now I've got exactly what I wanted, and now we're having an interesting discussion. You didn't need an entire book to make your point. If anybody doesn't understand what you said, they can now leave the discussion temporarily to study. Buy the book or otherwise, it's their choise.
And yes, my tone can be arrogant to some people, I'm sorry if I offended you. More subtle advise is too often ignored. This is one of those cases where I just do what works.
Translation: "This is sooo good I can't even explain what it is."
Further translation: "This isn't really so good. If I just told you what it really is, you'd loose interest."
First you didn't even say that there was anything interesting on the books website, I assumed the link was for buying the book. But OK, I checked out the site.
Page 1: Advertisement, as expected. No real info.
Page 2 (Excerpt from the Introduction): Blah blah
Page 3 (Summary of rules chapter): This one I only read because it was the last one, I'm being really patient here, trying to find out what you are talking about. I didn't find anything relevant to the comment you replied to. Also, I didn't fint anything a seasoned programmer shouldn't know. I didn't find anything new, and I'm not very seasoned in making high-security websites. I haven't read any books about it, taken any classes or anything like that.
So either I was right when my internal warning lights started flashing, or I still don't know what your are talking about. Maybe you could just mention which of the rules you think would be relevant for preventing XSS (except escaping which I already suggested), or which of them you think is a surprice to a "seasoned programmer".
By the way, my first reply to you was really to teach you about discussing online, but since you are insisting so much that you do have an argument, I'm getting curious.
I remember it as something like:
Fry: Why would a robot need to drink?
Bender: I don't need to drink, I can quit anytime I want! Besides, it powers my fuels cells.
Fry: What's the cigar for then?
Bender: It makes me look cool. [smokes] So they made you a delivery boy, huh?
In the company I work in (danish company) more than 10% of the employees are married to each other. And we are hundres of employees, so I think there's enough statistical data to toy with.
What if office romances was not allowed here? Why shouldn't it be allowed, as long as they are not romancing in the office? I regularly see people coming to work holding hands, and people from different departmens eating together, and that's it. I don't see any problems here. (But if people here keep marrying each other (or hiring spouses), this could be a family business in a few generations...)
I have made a very elaborate and ground breaking answer to your comment. It's too large to quote here, but you can read it in my reasonable priced book.
Seriously: I'm not asking you to cover it. Just mention it, in stead of asking us to buy a book. Give us a couple of keywords so we know what you're talking about, no need to cover it in detail. If we want the details we can buy the book. But I'm not going to buy a book because you say it some something that you think I don't know. That it not contributing to a discussion.
I'm working on a kind of intranet, which means 100% IE. When we discuss a big problem often someone says "we could solve this easily in Firefox" or "we could just switch to Firefox". Then we laugh. Then we get a sad look on our faces, and someone says "no really, what should we do?"
A while ago I heard that a really nice feature that the users wants was dropped, too expensive. It would cost thousands of kr (hundreds maybe thousands of dollars). A few minutes later I said "look, it's not that hard. I made this in two minutes including testing and debugging, and it works perfectly". Then someone said "yeah, but you tested in Firefox, right?" - "Oh..."
It's great that you want to add information to the discussion, but you don't: I'm not going to buy a book to see what you are talking about.
Then don't stand under it. (But you could go inside it...)
That is why you also turn " into " when it's inside double-quotes. This is the right solution, you just have to finetune it. It's not that hard, you just need to remember it every single time it should be done. It's the "remember" stuff that's hard.
Include turning & into &. Finally there's ' (') and you're done.
Some languages has functions to do this for you, you just need to call them.
Countless times. On a computer AND on paper. On a computer, so what? It's easy to search when needed. On paper? Now that really sucks. That's one reason I hate paper. Print it, and it's lost.
Oh, and that is true for "neatly organized" and "not organized at all" (AKA "huge pile"). Organizing just makes searching easier to avoid and easier to do.
Unfortunately, "not using paper" often means "using PDF". Well, at least they are searchable, and I can have an open window next to it.
Why was there no development on IE for several years?
Lack of motivation. They waited for some competition.
they are saying that when viewing such a screen at 20", the human eye can detect *each* of the rgb pixels??
Yes, of course we can. Make one pixel stand out (white on black, or black on white) and it is very clearly visible.
It must also be one of the reasons why so many people don't like to read on a screen: The very low resolution. The letters just has so much more detail on print.
I also often notice the pattern in singlecolored areas on a screen. I'm not claiming I can see red, green and blue dots, but I can see that it's not just a flat color, without moving too close to the monitor.
Maybe it's the same cloud, but after some giant aliens had a party.
Similar cloud has been reported before, but this cloud is smaller.
Downloading a paid product is not a new thing. It has worked for software in years. I don't see why it shouldn't work for other kinds of data like movieclips and images.
Of course it's easier to share it with a few thousand closest friends on Internet when you don't have to rip it first. But is it really the ripping part that is hard? Isn't that the easiest part? Why is that so bold, as the summary says?