Re: Re: Re: CGI scripts and NMS

Personally I don't think that code it too complex. And I think it's better to show beginners slightly more complex but correct code than to show them the code in most existing CGI repositories.

And as for bugs. Well, no-one's perfect. We're not saying that we are. All suggestions will be very welcome on the nms developers mailing list.

--
<http://www.dave.org.uk>

"The first rule of Perl club is you do not talk about Perl club."
-- Chip Salzenberg

Comment on Re: Re: Re: CGI scripts and NMS

Replies are listed 'Best First'.
Re: Re: Re: Re: CGI scripts and NMS by gellyfish (Monsignor) on Jan 26, 2002 at 23:03 UTC
Hmm, I would say that the code is complex however I would not say it is overly complicated - bearing in mind what the code is doing, I am sure that everyone is in agreement that whitelist based HTML filtering is a good thing (unless one is a skript kiddie trying to damage the website of course :). I have had a couple of hacks at doing the same thing using HTML::Parser and I think that would be just as 'orrible looking :) The thing here is that there is always going to be a conflict between the didactic aims of NMS and the needs to provide secure and robust code - in this case the latter concern has become foremost, on the other hand we have rejected changes that have seemed overly obfuscated and hopefully implemented the same stuff in a more clear manner. For myself I am delighted that people are finding security holes in the NMS programs - this is an OPPORTUNITY for us to make the stuff better. For myself I would hate it if the programs were being used by people and the only people who knew there were vulnerabilities were the crackers and skript kiddies. I can't speak for anyone else on the project but I know that I am not omniscient :) /J\	[reply]

Replies are listed 'Best First'.

Re: Re: Re: Re: CGI scripts and NMS
by gellyfish (Monsignor) on Jan 26, 2002 at 23:03 UTC

Hmm, I would say that the code is *complex* however I would not say it is overly *complicated* - bearing in mind what the code is doing, I am sure that everyone is in agreement that whitelist based HTML filtering is a good thing (unless one is a skript kiddie trying to damage the website of course :). I have had a couple of hacks at doing the same thing using HTML::Parser and I think that would be just as 'orrible looking :)

The thing here is that there is always going to be a conflict between the didactic aims of NMS and the needs to provide secure and robust code - in this case the latter concern has become foremost, on the other hand we have rejected changes that have seemed overly obfuscated and hopefully implemented the same stuff in a more clear manner.

For myself I am delighted that people are finding security holes in the NMS programs - this is an OPPORTUNITY for us to make the stuff better. For myself I would hate it if the programs were being used by people and the only people who knew there were vulnerabilities were the crackers and skript kiddies. I can't speak for anyone else on the project but I know that I am not omniscient :)

/J\

[reply]