[cap-talk] solve CSRF by making references unforgeable, not unshareable
David-Sarah Hopwood
david.hopwood at industrial-designers.co.uk
Wed Mar 25 18:39:51 EDT 2009
Kevin Reid wrote:
> On Mar 25, 2009, at 12:41, David-Sarah Hopwood wrote:
>> SQL injection (and injection attacks in general for any language) can
>> be solved by ensuring that the structure of the query as parsed is the
>> structure intended by the programmer. The easiest and simplest way to
>> do this is for the query API to represent a query as an abstract
>> syntax tree, not a string.
>
> Indeed. My E-on-JavaScript implementation suffers from the lack of AST
> libraries for HTML and JavaScript (though I built a half-baked output-
> only system for JS).
Just close your eyes and imagine a sane world in which S-expressions won,
and it won't hurt a bit.
HTML:
<!doctype html>
<html>
<head>
<title>Hello</title>
</head>
<body>...</body>
</html>
-> (!doctype "html"
(html
(head
(title "Hello")
(body "...")))
-> deepSeal(
["!doctype", "html",
["html",
["head",
["title", "Hello"],
["body", "..."]]]
)
JavaScript:
(function foo(x){alert(x);})(42);
-> (sourceElements
(callExpression
(functionExpression "foo" ("x")
(sourceElements
(callExpression
(identifier "alert")
(identifier "x"))))
(numericLiteral 42)))
-> deepSeal(
["sourceElements",
["callExpression",
["functionExpression", "foo", ["x"],
["sourceElements",
["callExpression",
["identifier", "alert"]
["identifier", "x"]]]]
["numericLiteral", 42]]]
)
Who needs objects? ;-)
--
David-Sarah Hopwood ⚥
More information about the cap-talk
mailing list