Correct, if you store HTML in your database, you need to VALIDATE your data using a HTML Policy tool like OWASP AntiSamy. But really, you should never store ENTITY encoded data in the database, you should encode at your use boundary in your UI layer.
Slashdot videos: Now with more Slashdot!
We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).
*applause* It's even worse - the new ASP output encoding API's only encode for HTML Entity - what about JS, CSS, HTML Attribute and other encoding contexts that you need for secure programming to stop XSS? Not to mention DOM based XSS where you need to encode for JS Variable AND HTML Attribute, in some cases. Web Security Programming is not easy - and its frankly impossible if you don't have the right tools.
1967 "The Miracles" reference, very nice. =)
Ah, that makes sense.
My comment about secure password treatment stands true for enterprise applications, but for a honeypot it makes total sense to log passwords.
But, suppose you had an administration console to the honeypot that you did NOT want hackers to have access to - like some honeypot report/statistical sub-application - well, for that sub-app you would want to take my advise about password treatment.
I meant to say "All that knowledge is mostly useless - but the understand that CS is all about constantly learning new stuff - priceless."
Thank god I do not get paid to write.
Oh comon - Bangalore College is a degree farm. That one college pumps out more grad's than all of the US probably. It's not the college or the education - it's the individual. Can you play in the world of computers and discrete math? Can you deal with 6 different programming languages to build a modern website? Some folks with PhD's cant play in this world - while some who never went to school are software engineering masters. The only thing my CS degree got me is a piece of paper - and some practice in learning about computers. All that knowledge is not mostly useless - but the understand that CS is all about constantly learning new stuff - priceless.
The moment you have a system that even has the capacity to log passwords, you have a security anti-pattern. Passwords are to be stored as per-user salted sha-2 hashes and should never be logged.
Link to Original Source