startsmart
New Member
I was having a debate with a friend about the merits of Silverlight vs HTML (with server-side logic) for general application development. He argued that because Silverlight rigidly separates user-provided input from presentation code, whereas HTML+PHP/ASP.NET/etc writes user-input directly into HTML, it is immune from all kinds of injection attacks like XSS. I see his point, but I would argue that HTML would not have this problem if there was a server-side platform that instead of providing the developer with a simple output stream (as PHP does with \[code\]echo\[/code\] or ASP.NET with \[code\]Response.Write\[/code\] and \[code\]MvcHtmlString\[/code\]) only exposes a DOM. All server-side code would then have to return DOM nodes, and provided that use of \[code\]InnerHtml\[/code\] is prohibited then such a system would be inherently immune to XSS and other injection attacks. Other benefits include guaranteed generation of valid HTML (if a validation logic is included in the DOM, such as preventing \[code\]<div>\[/code\] being a child of \[code\]<p>\[/code\]) and the ability for post-processing filters to manipulate the document in ways currently (feasibly) impossible to us now, such as automatic localization and data verification (such as checking every \[code\]<label for="">\[/code\] attribute is valid, being able to dynamically reformat composite controls, or best of all: sider-side generated markup with correct indentation!I want to know if there are any such frameworks or platforms available that do this, particularly for ASP.NET.I have had a look around but couldn't find anything - this idea is hardly original, so I'm probably using the wrong terminology in my google searches.