DaveDevelopment::Dave Marshall

I saw this post via SlashDot and can’t help but think it’s a little overkill?

Content Security Policy is intended to mitigate a large class of Web Application Vulnerabilities: Cross Site Scripting. Cross Site Request Forgery has also become a large scale problem in Web Application Security, though it is not a primary focus of Content Security Policy.

In an ideal world, this would be great, but getting all the browsers on board and implemented may take a while. I was thinking about this the other day and I don’t see why the browsers/w3c can’t standardise on some sort of tag or conditional comments that says don’t execute any script in here. This would be simple to use and surely simple to implement. Browsers already know what to do with <noscript>

For Example:

<dontexecutescript>
    <?php echo $this->escape($userProvidedContent);?>
</dontexecutescript>

Or:

<!--[dontexecutescript] -->
    <?php echo $this->escape($userProvidedContent);?>
<!--[dontexecutescript]-->

I’m no expert on XSS, but I’m pretty sure this would solve most of the issues encountered.

Update:

Okay, so one obvious problem might be that the $userProvidedContent contains a closing </dontexecutescript> tag, but that’s just semantics. Unique identifiers for each block, ignoring tags that don’t match up, these browser developers are clever, they could come up with something.

I figure it’s about time I updated my blog and designed a new theme, but before I do I thought I would tidy this one up and release it. just like I told ‘Big John’ from Position is Everything I would do well over a year ago. It’s far from perfect, but I kind of like it and it made a good project for me to experiment with some new design technologies.

The layout is based on the The Jello Mold Piefecta Layout, being a 3 column, source ordered, fixed width, equal height column layout. The template also uses sIfr ( to produce rich and accessable headings.

Looking back I was clearly influenced by Mike Davidsons Blog design, for which I apologise to him and in no way take credit for the ‘look’ of the theme.

Get the zip or gzipped tarball. Feedback and comments would be appreciated, but not quite as much as bug reports and fixes.

I launched a new site today, assuming the updated DNS records are rippling around the world as I type. The site was done as a favour to a friend, is very basic but I think it gets the point across.

The company are a bespoke joinery specialist, particularly architectural joinery and trade as Architectural Joinery Workshops Ltd. (AJW)

Still a few things to do to the site, but I’ll get those done shortly. Namely, some sort of templating system to ease updates and modifications, meta tags and then a little bit of marketing to see if we can develop some decent rankings.

So this is the wordpress theme I’ve been working on. It looks alot worse on a page full of posts, maybe I should fill up my dummy wordpress install. I definitely need some more separation between posts. I’m gonna leave it on here for now as it is, will offer the code once I’m happy with it.

DaveProxy

DaveProxy, my new online proxy site is up and running. It uses CGIProxy, a free Perl proxy script. The design took me not long and I used GUG Tutorials for the graphics. It’ll stay up while I’ve got the bandwidth available, unless it starts making me loads of money and then I’ll keep it up.