可能具有编译器支持(类型安全),以避免在Web开发期间对反XSS进行双重编码吗? [英] Possible to have compiler support (type safety) for avoiding double encoding for anti-XSS during Web development?
问题描述
是否可能有编译器支持来强制执行数据清除(XSS编码)?
Is it possible to have compiler support to enforce the cleanup of data (XSS encoding)?
这个问题让我想到了双重编码以及其他需要编码的时候.似乎对于Linq来说会很好用,但是在其他情况下我可能也需要此功能.
This question got me thinking about double encoding and the other times when encoding is needed. Seems like it would work great for Linq, but possibly I may need this feature in other scenarios as well.
推荐答案
是的,给定类型系统具有足够的表现力和强大功能,这确实是可能的.
Yes, given a type system than is expressive and powerful enough, this is indeed possible.
Ur/Web 是用Ur编程语言编写的Web应用程序框架,其中类型系统保证了几个有趣的属性:
Ur/Web, for example, is a web application framework written in the Ur programming language, in which several interesting properties are guaranteed by the type system:
- (在应用程序内)不能有无效链接
- 不可能生成无效的HTML
- 不可能受到XSS攻击
- 不可能进行SQL注入
- form字段始终具有相应的服务器端处理程序
- AJAX调用始终具有相应的服务器端处理程序
- 客户端表单字段,服务器端处理程序和数据库表的类型匹配
- ...更多...
Ur和Ur/Web的作者亚当·克利帕拉(Adam Chlipala)在2010年新兴语言营地上对进行了介绍.
Adam Chlipala, the author of Ur and Ur/Web gave a talk about it at the Emerging Languages Camp 2010.
Haskell,OCaml和Scala中也有一些Web框架(试图做到).它们的类型系统功能强大,足以保证其中至少一些特性.例如,在Haskell中存在SQL的类型安全嵌入,或者OCaml中的HTML模板语言不允许用户生成无效的HTML.
There are also some web frameworks in Haskell, OCaml and Scala that (try to) do (some of) that. Their type systems are powerful enough to guarantee at least some of those properties. There are type-safe embeddings of SQL into Haskell, for example, or an HTML templating language in OCaml that doesn't allow the user to generate invalid HTML.
这篇关于可能具有编译器支持(类型安全),以避免在Web开发期间对反XSS进行双重编码吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
