tag:blogger.com,1999:blog-1176949257541686127.post7291320788164226863..comments2009-10-09T11:02:29.875-07:00Molly Grahamhttp://www.blogger.com/profile/14622034276288473028noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-1176949257541686127.post-12441884331749145192009-05-09T23:53:00.000-07:002009-05-09T23:53:00.000-07:00IF you want to help remove malware then go here..<br /><br />http://remove-malware.com/NASHUAhttp://www.blogger.com/profile/17189945625705453935noreply@blogger.comtag:blogger.com,1999:blog-1176949257541686127.post-52501776364519814162009-04-21T18:29:00.000-07:002009-04-21T18:29:00.000-07:00Its here the quality work clean of little else is done at Google. Very good blog post.<br /><br />Escape-sequences cause so much problem and have do it so long. People patching code from different generations, different projekt and so on.<br /><br />Very usefull.Hans Husmanhttp://www.blogger.com/profile/03236946330372858904noreply@blogger.comtag:blogger.com,1999:blog-1176949257541686127.post-19476118614339941002009-04-20T18:19:00.000-07:002009-04-20T18:19:00.000-07:00It seems that the inferred filter may be less specific than the actual syntax for the value to be substituted. For instance, the CSS example expects a colour, but the inferred filter will only reject specific unsafe CSS constructs, by the sound of it.<br /><br />Other than reading the source code, is there any documentation on precisely what each escaping filter does?David-Sarah Hopwoodhttp://www.blogger.com/profile/07786700719460528830noreply@blogger.comtag:blogger.com,1999:blog-1176949257541686127.post-72453574414061456292009-04-19T11:58:00.000-07:002009-04-19T11:58:00.000-07:00Please roll these changes into the version of clearsilver that is available on appengine:<br /><br />http://code.google.com/p/googleappengine/issues/detail?id=1363yohttp://www.blogger.com/profile/03076771604056633441noreply@blogger.comtag:blogger.com,1999:blog-1176949257541686127.post-73897633437671185722009-04-14T03:54:00.000-07:002009-04-14T03:54:00.000-07:00Hi<br /><br />So you consider that on large applications, the approach of filtering data when it enters the program is not maintainable. Some dev will forget it, and there is no way to test if all the necessary filters are in place, so you put a big bold filter on the output.<br /><br />It seems efficient at cleaning the output from xss attacks style, but<br />isn't the remedy worst that the disease ?<br /><br />If, when it was really necessary devs were forgetting to properly filters inputs, now that there is that filter-on-output system, won't they be even more lazy ?<br /><br />It seems to me that this approach hardens protection against xss-attacks, and weaken protection against more old school attacks.<br /><br />olivvvolivvvhttp://www.blogger.com/profile/14453089855388241047noreply@blogger.comtag:blogger.com,1999:blog-1176949257541686127.post-23608275933843385822009-04-07T09:46:00.000-07:002009-04-07T09:46:00.000-07:00Hello. Auto-Escaping and Context-Aware Escaping are great concepts. They can be used by PHP programmers too - they are implemented in Nette Framework (see http://jdem.cz/a96g5 )David Grudlhttp://www.blogger.com/profile/15126256658321374114noreply@blogger.comtag:blogger.com,1999:blog-1176949257541686127.post-30241383256415882802009-04-05T20:37:00.000-07:002009-04-05T20:37:00.000-07:00You guys are a little over my head, but you guys are awesome. Thanks for all the info!<BR/>Jack O'Sullivan<BR/><A HREF="http://www.bedroomsetswarehouse.com/" REL="nofollow">Bedroom Sets</A>Jack O'Sullivanhttp://www.blogger.com/profile/05307729253819602467noreply@blogger.comtag:blogger.com,1999:blog-1176949257541686127.post-43111521488737232072009-04-02T13:32:00.000-07:002009-04-02T13:32:00.000-07:00For some additional background on context sensitive escaping in HTML, check out OWASP's XSS Prevention Cheat Sheet at http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet. Are there differences with what is recommended there?jwilliamshttp://www.blogger.com/profile/16837701522866491602noreply@blogger.comtag:blogger.com,1999:blog-1176949257541686127.post-20579505227850269722009-04-01T04:49:00.000-07:002009-04-01T04:49:00.000-07:00I like django solution - all data substitution are dangerouse, but when you need html you place 'safe' filter, and now you start really thinking safe it or notmikedhttp://www.blogger.com/profile/14798506024063004481noreply@blogger.com