Php why must your apps suck so?
Craig Thomas
bicycle.nutz at gmail.com
Wed Oct 24 23:06:24 UTC 2007
On 10/24/07, Toshio Kuratomi <a.badger at gmail.com> wrote:
> Paulo Santos wrote:
> > Drupal + SELinux + mod_security ?!
> >
> It looks like the combination of SELinux and mod_security will cover the
> range of exploits as long as we have policy that covers all the
> approaches in both SELinux and mod_security. I have some misgivings
> about running software that I know is going to need third party tools to
> enforce security rather than having the extra checks be part of
> defense in depth but it seems that that would work.
>
> And in answer to the subject, "Php why must your apps suck so?" the
> unfortunate answer is that it's built into the language. <?php $USERVAR
> ?> and <?php echo $USERVER ?> are inherently bad because they don't html
> escape $USERVAR yet it is the method used by practically all php code to
> output variables to the page.
>
> Many Python web frameworks address this issue in the framework by
> automatically html escaping any variable which is displayed in the
> template. Notably, kid and genshi (the template languages we're using
> for our TG deployments) work this way. PHP, on the other hand, makes
> constant vigilance necessary.
Perhaps it's possible to help mitigate any non-escaped output by
developing (or using) whatever themes need to be developed for a
Drupal install using smarty ? quite a few of the themes do use smarty.
--
Craig
> -Toshio
>
> _______________________________________________
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
>
More information about the Fedora-infrastructure-list
mailing list