Putting ones money where ones mouth is …
Two of three days of the main conference now gone. I’ve met a number of people I’ve not seen before, and seen some interesting presentations. The highlight of today was Ivan Ristic’s mod_security talk: that module is getting seriously interesting.
There were other security-related talks today, including one on web application security. Why can’t people use the best tools available? It seems that whereas everyone knows you protect against SQL injection by using prepared statements, few will take the similarly-simple-and-effective measure of using a markup-aware parser to protect against scripting hacks. Instead, they’ll try to enumerate scripting situations, and hack up elaborate expressions to try and catch scripts “concealed” by tricks like embedded whitespace or comments.
That apparent lack of awareness spilled over into chrisjdavis’s community talk, when he spoke of having had long discussions about HTML vs XHTML (how many angels can dance on your pinhead?) HTML was chosen – which is fine – but for the wrong reason: namely, the perceived problem of ensuring well-formed XHTML from user inputs that may include markup. He was expecting me to heckle, and at that point I did mutter something about it not being a problem, or being a problem with a simple solution: use markup-aware tools. Chris being a man to get the better of any heckler, there’s now an onus on me to .. um .. explain what I meant. And other things I’ve heard today hint that it might be of use more widely.
Well, it’s a problem I’ve addressed successfully in mod_annot. So what I propose to do now is write an article explaining how it works, and including relevant C code – which should be straightforward enough to convert to PHP or other language. Chris (or anyone), if I haven’t done it by, say, end of next week(end) (April 20), please heckle me!
On an entirely different note, this evening I went to Un Ballo in Maschera at the dutch opera. ‘Twas musically impressive, and I liked Het Muziektheater, a large modern theatre with clear sightlines, above-average legroom, etc. But the production – set right in our time – had me baffled. Erm, … what? Coming out of the theatre and looking around for a bite to eat but not a full meal at 11pm, I managed to get quite lost in the backstreets of Amsterdam – though in a much nicer area than around my hotel (Station, Damrak) or indeed the conference hotel. Eventually headed for the main road, and saw the distinctive Nemo landmark, after which I was OK.