Looks like Matt and I are now members of the OWASP input filters project.
Well, after my whining about OWASP yesterday, I had a good email exchange with the author(s) of this article and it looks like they'll be fixing some of the deficiencies that were introduced in the editing process.
I consider myself something of a security geek. I work for a security company, I develop applications that require security, I've written authentication mechanisms before, etc...
So I was happy to run across OWASP. Goodness knows most web application developers wouldn't know a good hash function if it bit them, let alone input validation, so OWASP provides a valuable service. Which brings me to the big "but". They don't often (ever?) mention that anything you send to a browser is out of your controll as soon as it's left the server. You can make suggestions to the browser, but you can't actually instruct it to reliably do anything, nor will you ever be informed if it deviates from the behavior you (incorrectly) assume it will exhibit. This feature is both what fueled the uptake of the web as the people's publishing medium, yet it's also the Achilles heel of web application security. Unless you are unambiguously tracking things on the server side and mapping what you expect to what you actually get (and then scrubbing it), you're in for a rude awakening. In the same way the developers that use CSS understand that you don't control the browsers behavior, back-end developers need to start learning that you don't have the faintest idea about who/what's really on the other end of that TCP/IP socket.
As a web developers we are nothing but muses on the client side of things, we exist to suggest and never to act.
High performance back-end for the pyMail app is now in CVS.
The new back-end requires a daemon process (server.py) that runs a multi-threading Unix Domain Socket server that caches POP mailbox connections. It's all written in Python and was quite simple to develop (the SocketServer library rocks, too bad it's documentation doesn't). Hopefully this should give the pyMail app the serer-side speed it's been lacking for quite some time, augmenting the client-side usability with responsive request responses.
Good stuff for the usability minded. Web applications tend towards unusable mazes when they are nothing more pretty front ends for tables in an RDBMS. Using a bit of application logic to present good choices and sane defaults can make a users life immeasurably easier.