A friend pinged me in confidence, regarding my last statement on the post:
"the good guys will be able to invent a silver bullet to fix this thing once and for all."One really bad thing about the type-written word is that it's very difficult for vocal inflections to come across properly. Anybody who knows me personally knows that I tend to think with my mouth at times, rather than with my brain - I say the words before I have a chance to process them, and I tend to use sarcasm more than is really prudent.
The remark I made about the good guys finding a silver bullet was and was not meant to be sarcastic. Here are several things I can use to clarify the remark:
- I don't think there's going to be some "magical solution" that will make XSS go away all by itself. History and browser security tells us so.
- I do believe there's a cure (output filtering, XHTML, proper input filtering, level of indirection) for it, but it doesn't implement itself. It takes a lot of work to discover existing problems, fix those existing problems, and instill a development culture of good coding practices.
- I do believe that the organizations that want to be rid of XSS can be rid of it, but again, it's hard.
- I am not sorry I made the statement.
- I am sorry for not clarifying what I meant. I shall try in the future to make sure that comments I type don't rely on the reader to read with the proper vocal inflections to understand the meaning - especially since English is not the primary language of many of my readers.