[cap-talk] solve CSRF by making references unforgeable, not unshareable

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Wed Mar 25 18:39:51 EDT 2009


Kevin Reid wrote:
> On Mar 25, 2009, at 12:41, David-Sarah Hopwood wrote:
>> SQL injection (and injection attacks in general for any language) can
>> be solved by ensuring that the structure of the query as parsed is the
>> structure intended by the programmer. The easiest and simplest way to
>> do this is for the query API to represent a query as an abstract  
>> syntax tree, not a string.
> 
> Indeed. My E-on-JavaScript implementation suffers from the lack of AST  
> libraries for HTML and JavaScript (though I built a half-baked output- 
> only system for JS).

Just close your eyes and imagine a sane world in which S-expressions won,
and it won't hurt a bit.

  HTML:
     <!doctype html>
     <html>
       <head>
         <title>Hello</title>
       </head>
       <body>...</body>
     </html>

->   (!doctype "html"
       (html
         (head
           (title "Hello")
           (body "...")))

-> deepSeal(
     ["!doctype", "html",
       ["html",
         ["head",
           ["title", "Hello"],
           ["body", "..."]]]
   )


  JavaScript:
     (function foo(x){alert(x);})(42);

->   (sourceElements
       (callExpression
         (functionExpression "foo" ("x")
           (sourceElements
             (callExpression
               (identifier "alert")
               (identifier "x"))))
         (numericLiteral 42)))

-> deepSeal(
     ["sourceElements",
       ["callExpression",
         ["functionExpression", "foo", ["x"],
           ["sourceElements",
             ["callExpression",
               ["identifier", "alert"]
               ["identifier", "x"]]]]
         ["numericLiteral", 42]]]
   )

Who needs objects? ;-)

-- 
David-Sarah Hopwood ⚥



More information about the cap-talk mailing list