Re: [Full-Disclosure] Exploits in websites due to buggy input validation where mozilla is at fault as well as the website.

[Barry Fitzgerald <bkfsec@xxxxxxxxxxxxxxxx>]

Nick FitzGerald wrote:

> Nope -- _VERY_ bad idea.
>
>  
I'm not sure I'd call it a *very* bad idea... it's better than silently 
finishing incomplete tags. 

> Idiot users want to blow both their feet off.
>
> Asking them "do you want a chance to blow your feet off?" only slows 
> the inevitable slightly, never prevents it.
>
>  
Well, yeah, and that's always going to be the case no matter what you 
do.  Let's at least make it so that non-idiot users don't get their feet 
blown off regardless.

> The correct solution to all such problems is simply to reject the 
> content as malformed.  And guess what will happen when you do that?  
> Several really crappy web design products will disappear because the 
> folk using them will drop them because no-one can see their pages _and_ 
> the rest will suddenly become very inetrested in producing properly 
> compliant content, as they should have been from the outset.
>  
Yeah - that's probably a better idea.  It's garbage data if it's 
malformed.  Dropping it is far better.

            -Barry





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html