From: David LeBlanc [dleblanc@MINDSPRING.COM]
Sent: Sunday, October 08, 2000 8:16 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Cross site scripting: a long term fix
At 06:50 AM 10/7/00 +0900, Zag Zig wrote:
>An interesting commentary on this issue could be found
>in 'The Cross-Site Scripting Scam' by John C Dvorak.
>http://www.zdnet.com/pcmag/stories/opinions/0,7802,2434175,00.html
I am surprised that he doesn't think aliens from Alpha Centauri are
involved. He also failed to mention the Gnomes of Zurich or any of the rest
of the Illuminati. Mr. Dvorak has an active imagination - perhaps he should
consider writing science fiction (IMHO). "Whatever the Thinker thinks, the
Prover proves." - Orr's law, as quoted by Robert Anton Wilson. I also find
it quite amusing he considers CERT/CC 'shadowy'. ROTFL. I always enjoy
thinking about people's reality tunnels. But I wander well off-topic.
>This page has a list of links to comments entered by the readers.
>It appears that one of the commenting readers successfully illustrated
>the problem on that page.
This is rich irony. Last comment on the page stuck it in for their name -
alert('?');... - alert('name');
i replaced by ! so that it won't fire.
CERT proposed...
>This short term fix is complex and not likely to be widely used.
You're probably right. About like expecting buffer overflows to go away
because people know not to use strcpy().
>The report does not propose any other changes in the web architecture
>that could lead to a simpler, more secure, and more widely used solution.
>It does not properly characterize the problem.
>It does not examine which features of the web architecture
>are responsible for the existence of the problem.
>It makes the problem look way too complex.
>This is a very simple problem.
>They do not expose the simplicity of the problem
>and do not propose a solution of matching simplicity.
Here, I don't entirely agree with you. I think your solution below deals
with at least some of the problem, but not all of it.
>This tag should have been part of HTML from day one.
>I take this back, make it day zero.
Part of the problem is because we started using HTML without any idea that
we'd end up depending on it for nearly everything. All sorts of stuff is
bolted on afterwards, so it is a bit of a mess.
>This tag, when applied to any text, returns that text unchanged.
>Zero, when added to any number, returns that number unchanged.
>In spite of this simplicity, it took a long time to discover
>or invent the number zero. Solving cross scripting problem with HTML
>lacking this zero tag is like multiplying with Roman numerals.
Interesting analogy.
>Will adding this tag cause any problems?
>The possible problem is that it may delay some
>sexier features: adding smell, taste, touch,
>the sixth sense and the fourth dimension to the web.
>This is a no-op tag, it performs no operation.
>It should not be too difficult to implement it.
>It would be difficult to make incompatible implementations,
>but not impossible.
I would further suggest that a similar