452930 (1) [Avatar] Offline

From my POV, intro example about User class may look confusing for both application security professionals and developers who is novice to security:

1) Both solutions fall short in terms of security.
2) Design-centric solution provide little (if any) benefit for security.

Neither solution demonstrate correct approach to fix XSS. So it will cause questions from security experts and give wrong guidance for novices (like data validation is a proper way to fix injection flaws).

Moreover, it leaves evident questions without answer: what if Username is allowed to contain symbols that may become dangerous in an output contexts. Or imagine, someone needs to add Email field into User class (which is obviously allowed to contain <> signs). Or if User object needs to be put into lexical context, where another injection flaws are possible (SQL, URL, LDAP, etc.).

I do believe that secure by design approach is right way to go but for me this example fails to demonstrate this.