OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
RE: [xml-dev] Error and Fatal Error

This is a classic example of "SQL Injection" although in this case its "XML
Just Google it and you'll see its not specific to XML or SQL or anything
else.   It's a core problem of software that all engineers need to handle.  
Any time you allow an 'end user' to 'inject' data into a programming or
markup language or pretty much anything you need to escape or sanitize it.
That's just the way it is.   Ignore this and you're asking for trouble.  Or
worse, your asking for *disaster*.
If you don't ... the BEST that can happen is a syntax error. Yes that's
GOOD.    Syntax errors are a good thing.  They mean you screwed up.   But
they don't happen all the time.
A clever person can avoid the syntax errors and inject really nasty things
...   That's really bad.
The WORSE that can happen is invisible unintended data or code injection.
You should be praying thanks to the XML parser Gods for rejecting this bad
data rather than passing it along blindly and "fixing" it.   Atleast it
catches the unintentional mistakes and highlights your code bugs that will
not be exposed by a truly malicious hacker.

If you want to pass through user data un- sanitized, please send me the URL
so I can add a few million$ to my bank account or whatever the site allows
but doesn't intend.

If you want magic to happen that always does the 'right thing' (citation
needed) in software and reads the minds of the programmer's intent instead
of what you actually told the computer to do your either in the wrong field
or the wrong century.   

David A. Lee

-----Original Message-----
From: Jim Melton [mailto:jim.melton@oracle.com] 
Sent: Wednesday, August 10, 2011 8:35 PM
To: stephengreenubl@gmail.com
Cc: Toby.Considine@gmail.com; xml-dev@lists.xml.org
Subject: Re: [xml-dev] Error and Fatal Error


At 7/18/2011 01:14 PM, Stephen D Green wrote:
>The problem is that there are tags in the strings - it is XML.
>System.Security.SecurityElement.Escape and HtmlEncode would change the 
>angle brackets in the tags too.

I suggest that you've failed to accept what many have been telling
you: The presence of angle brackets around sequences of certain characters
might create "tags", but that does not make it XML.  "XML" 
is a well-defined language.  Claiming that text such as;
    <elem attr="<"&<Bob"/>
is XML doesn't make it so.  There are explicit rules in the definition of
the language XML that prohibit attribute values containing <, &, and the
quoting character itself unless they are properly "escaped".  Violation of
those rules means that the text doesn't meet the definition of XML.  Would
you, for example, expect a C processor to process this text properly:
    switch (flag] { ... )
even though the right square bracket was pretty "obviously" supposed to be a
right parenthesis and the right parenthesis a right curly brace?  I haven't
encountered a C processor that would make those corrections -- they all seem
to report syntax errors and expect me to make the corrections.  I don't find
that unreasonable.

I'm no longer a software developer (although I was for many, many years),
and yet I've been able to write fairly simple code in a couple of different
languages that pseudo-parses input text that claims to be XML, locates
certain aberrations that my application typically produces (e.g., & and < in
what were intended to be attribute values, -- in what were intended to be
comments), and corrects those specific errors (e.g., replacement with
character references and insertion of a space between the hyphens).  Full
parsing is rarely needed, depending on the precise errors that you intend to
fix.  I'm sure that you can do the same without significant overhead.

Hope this helps,

Jim Melton --- Editor of ISO/IEC 9075-* (SQL)     Phone: +1.801.942.0144
   Chair, ISO/IEC JTC1/SC32 and W3C XML Query WG    Fax : +1.801.942.3345
Oracle Corporation        Oracle Email: jim dot melton at oracle dot com
1930 Viscounti Drive      Alternate email: jim dot melton at acm dot org
Sandy, UT 84093-1063 USA  Personal email: SheltieJim at xmission dot com
=  Facts are facts.   But any opinions expressed are the opinions      =
=  only of myself and may or may not reflect the opinions of anybody   =
=  else with whom I may or may not have discussed the issues at hand.  =


XML-DEV is a publicly archived, unmoderated list hosted by OASIS to support
XML implementation and development. To minimize spam in the archives, you
must subscribe before posting.

[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
subscribe: xml-dev-subscribe@lists.xml.org List archive:
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS