[langsec-discuss] Fwd: HTML syntax trees for Ruby

Nils Dagsson Moskopp nils at dieweltistgarnichtso.net
Wed Aug 28 13:43:32 UTC 2013

Arne Brasseur <arne.brasseur at gmail.com> schrieb am Wed, 28 Aug 2013
15:07:05 +0200:

> […]
> In my talks I've been talking about the "Apples and Snakes
> Architecture". Snakes are strings, they bite you. Syntax trees yield
> apples, they're tasty. You want to keep the snakes out of your app,
> and convert from/to apples (syntax trees) at the boundaries.

In my experience, many web developers – and especially framework
authors – are quite bad at distinguishing object language from meta
language and continue to do so, because it “seems” to work. Many of
them do not reason about syntax trees, even if they are actually able
to do so, and just use string concatenation. Those people do not
believe “snakes” to be sufficiently dangerous. How do you teach them?

Case in point, my User Agent string is “Mozilla/4.0 (MSIE 6.0';DROP
TABLE browsers;--"<u>{!=&})”. While correct according to the RFC, I
encounter broken web pages on a weekly basis. Considering that UA
string usually is not something that should affect the markup at all, I
would not expect such programmers to write secure software at all –
even if they (or their tools) properly escape their output.

> Templating language implementations, like most other existing tools,
> are not "Apples and Snakes", but they could be reimplemented that way.

This reminds me of an article about phantom types in rust. Through
strong typing, unsafe string concatenation becomes a compile error:

Nils Dagsson Moskopp // erlehmann
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20130828/14bad056/attachment.pgp>

More information about the langsec-discuss mailing list