[cap-talk] solve CSRF by making references unforgeable, not unshareable

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Wed Mar 25 18:39:51 EDT 2009

Kevin Reid wrote:
> On Mar 25, 2009, at 12:41, David-Sarah Hopwood wrote:
>> SQL injection (and injection attacks in general for any language) can
>> be solved by ensuring that the structure of the query as parsed is the
>> structure intended by the programmer. The easiest and simplest way to
>> do this is for the query API to represent a query as an abstract  
>> syntax tree, not a string.
> Indeed. My E-on-JavaScript implementation suffers from the lack of AST  
> libraries for HTML and JavaScript (though I built a half-baked output- 
> only system for JS).

Just close your eyes and imagine a sane world in which S-expressions won,
and it won't hurt a bit.

     <!doctype html>

->   (!doctype "html"
           (title "Hello")
           (body "...")))

-> deepSeal(
     ["!doctype", "html",
           ["title", "Hello"],
           ["body", "..."]]]

     (function foo(x){alert(x);})(42);

->   (sourceElements
         (functionExpression "foo" ("x")
               (identifier "alert")
               (identifier "x"))))
         (numericLiteral 42)))

-> deepSeal(
         ["functionExpression", "foo", ["x"],
               ["identifier", "alert"]
               ["identifier", "x"]]]]
         ["numericLiteral", 42]]]

Who needs objects? ;-)

David-Sarah Hopwood ⚥

More information about the cap-talk mailing list