I'm a web application developer by trade raelix, though I build mostly forms applications, lots of database work etc
Yup that's 90% of what I'm doing.
I think my best idea so far was to take these long chunks of user input (full of touchy syntax) and just base64 them for sterility and escaping and just toss them in a mediumtext. No chance of injection, easy to measure actual input size, and a built-in php function. I have to do the same for sounds and images for proper preload on html5 embedding anyway (demo
, base64 embedded sounds to get around browsers failing to cache them for some reason), and I've found you can do the same with anything
that has a mime type.
And then I get to bitch people off my site that don't use compliant browsers so my sandboxing works (XSS in-but-not-out subdomain page in iframe). I think I'll have a special 'F*CK YOU' page for IE6 users.
I think you'll really enjoy the concept at least. I just didn't wanna see it come crashing down for lack of security. You can definitely help me with my override list later on.
Oh, and yes that JS on HTML5 thing I linked it sort of what The Project relates to, and yes it WILL kill your browser because it's intended as a stress test (How many sound channels, how many draw instructions, how many alpha gradients... before a browser just craps itself). It is fun as hell to watch though, just don't background the tab (you'll hear sounds very sparsely like it's running really slow) or you'll NaN the FPS tracking and cause the cleanup system to fail and your FPS will just start crawling as more and more scorches pile up (alpha gradients are the meanest thing you can do to a canvas). Edited, May 30th 2012 1:16am by Raelix