Security analysis, JavaScript, and XForms
Some recent events have brought to the fore troubles with sprawling web user agents. The trend toward defining more semantics in open-coded Javascript, or in calls to large JavaScript libraries, is troubling. Statically analyzing imperative JavaScript libraries and calls is surely a more difficult task than analyzing declarative markup that expresses the same semantics.
These problems aren't new, nor are they limited to HTML uses of JavaScript: PDF is vulnerable as well, and again.
Some claim that JavaScript is used for mundane tasks such as boolean constraint validation and data type assignment because the market demands it. It's time for the market to wake up to the terrible cost of security flaws inherent in the JavaScript model, and demand integration of data types, constraints, validation, repeating and switch structures, and rational data submission: XForms 1.1 provides a good start.
These problems aren't new, nor are they limited to HTML uses of JavaScript: PDF is vulnerable as well, and again.
Some claim that JavaScript is used for mundane tasks such as boolean constraint validation and data type assignment because the market demands it. It's time for the market to wake up to the terrible cost of security flaws inherent in the JavaScript model, and demand integration of data types, constraints, validation, repeating and switch structures, and rational data submission: XForms 1.1 provides a good start.
posted by Leigh at
3:42 PM
0 Comments:
Post a Comment
<< Home