HTML Injection Attacks: Impact and Mitigation Strategies
Â
Finding harmony in web development
1. Finding harmony in web
development
Chris Heilmann - London Web Meetup, February 2011
2. You are in a strange
place.
To the west is a
rock, to the east is
a hard place, to the
north is the Devil
and the south is the
Deep Blue Sea.
Command:_
8. Basic Hypertext model:
Document Document Document
Text text Text text
Text text
text link text link
text text load
text text load text text
link text
text link text link
link text
text text
41. The holy trinity according
to the book of Zeldman.
Behaviour
(JavaScript)
Presentation
(CSS)
Structure (HTML)
42. The reality according to
people you ask these days.
JavaScript
libraries,
polyďŹlls, templating
languages and âreal
languagesâ translated to JS.
CSS - created with a meta language as
it lacks variables and stuďŹ.
Some HTML Placeholder stuďŹ
43. Of course depending on
what they do...
jQuery!
CSS OMFG!!!! CSS3
Transition and Animation
and Shadows and fonts!
OMG OMG OMG!
clean HTML from Expression Engine or Wordpress.
44. We tend to deďŹne tech by
how we use it rather than
what it is meant to do.
46. What is HTML?
â JavaScriptâs bitch (empty elements, links
pointing nowhere, content to show and
hide)
â A static database (microformats, semantics
of awesome)
â The thing Google loves
â The end result of using real languages on
the server.
â Outdated
47. What is CSS?
â Something to style and animate with - really
the thing that makes the web interesting.
â Something to simulate layouts with and
hope they work.
â Not good enough - it needs variables and
constants and mixins and all the other cool
thing real languages have.
â Broken
48. What is JavaScript?
â The predecessor to jQuery.
â Dangerous - use noscript.
â Awesome, use it with node.js to see why it
rocks.
â Too hard to learn.
â Broken. Time to use LUA/Python/Ruby/
CoďŹescript instead.
â The thing Crockford understands.
64. Unknown overheads:
â Portability.
â Training of all involved.
â Explanation of abstraction layers for
maintainers.
â Performance impact (can the client/
server handle it?).
â Impact on UX/PM.
65. Another
 ďŹaw
 in
 the
 human
Â
character
 is
 that
 everybody
Â
wants
 to
 build
 and
 nobody
Â
wants
 to
 do
 maintenance.
Kurt
 Vonnegut,
 Hocus
 Pocus
67. âIf
 you
 animate
 things,
 do
 it
Â
in
 CSS!
 CSS
 transitions
 and
Â
animations
 are
 are
 faster
 as
Â
they
 are
 hardware
 accelerated
Â
and
 people
 donât
 need
 to
Â
learn
 JavaScript!â
68. âUsing
 a
 Mac
 is
 the
 best
 thing
Â
you
 can
 do
 right
 now,
 but
 be
Â
careful
 as
 everything
 is
 faster
Â
and
 looks
 much
 smoother
Â
there!
 Test
 in
 a
 VM,
 too!â
69. âChrome
 is
 currently
 the
Â
fastest
 browser
 -Ââ
 no
 point
 in
Â
using
 any
 other
 if
 you
 want
 to
Â
build
 things
 fast.â
71. On
 desktops,
 using
 CSS
Â
transitions
 for
 motion
 or
 CSS
Â
keyframes
 for
 animations
 were
Â
slower
 than
 simply
 using
Â
JavaScript
 for
 these
 tasks.
Â
Worse,
 they
 often
 generated
Â
noisy
 framerates,
 so
 they
 are
 not
Â
a
 good
 solution
 for
 games
 in
Â
desktop
 browsers.
https://developers.facebook.com/blog/post/460