[cap-talk] solve CSRF by making references unforgeable, not unshareable

Kevin Reid kpreid at mac.com
Wed Mar 25 13:49:55 EDT 2009


On Mar 25, 2009, at 12:41, David-Sarah Hopwood wrote:
> SQL injection (and injection attacks in general for any language) can
> be solved by ensuring that the structure of the query as parsed is the
> structure intended by the programmer. The easiest and simplest way to
> do this is for the query API to represent a query as an abstract  
> syntax
> tree, not a string.

Indeed. My E-on-JavaScript implementation suffers from the lack of AST  
libraries for HTML and JavaScript (though I built a half-baked output- 
only system for JS).

Are there existing ones that it would be good to borrow design or tame  
implementation of? (DOM need not apply as it uses mutable nodes tied  
to a specific Document.)

-- 
Kevin Reid                            <http://homepage.mac.com/kpreid/>




More information about the cap-talk mailing list