Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115018 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 47897 invoked from network); 22 Jun 2021 10:41:24 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 22 Jun 2021 10:41:24 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 3F7F41804D8 for ; Tue, 22 Jun 2021 03:59:39 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 22 Jun 2021 03:59:38 -0700 (PDT) Received: by mail-lf1-f52.google.com with SMTP id r5so35286056lfr.5 for ; Tue, 22 Jun 2021 03:59:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gE7ooXfBT2vgrmrQE5dAbZ4S5to7In5a9oab90sDfVE=; b=ZO0SefgDYAC8UOmIyA50l6V0h1Xq/onsJ9ii7LBMjtCmJqh6A0Vvm+kwj7V5FQm4YL tMKvLC+7btsE9bvVheMlAHr7UW0HmcQ88V6nxerVxSoEWcfvmlvyFLFBWp06zNyZbh92 IRm7xK440dhoHz+YyXTUsnZebGfnqwVCsUB8g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gE7ooXfBT2vgrmrQE5dAbZ4S5to7In5a9oab90sDfVE=; b=hohOeF5j8Xr5NKaJ0Zm/jpVcP1/oaKwk2wtJB9Kd9MxvLG7fiLJUEBS7dMpvAm7NyZ Ye7X/Dic5nFj7w6iOWphVCDVh2AVCnAmlK6JbhBYY6Qa+Tk3ngchnGyjtSGOoKqhgePu QPJ5lAJEEDar9dW+3d44uF4wMd+cpTxpac+RTI4cXZHotEDSIqMvrccI0jeNGMPr9spo Ew3mYCvXTAQ5wFr8mo1HK6iWcDlQYQX8nBmekTYo+RXqyKfBi0WUEVJd1xX1tMOk6Bof RY2hNQkt+Sbhp+Jn78NvafTcwACyJ82xzWdoxNJwyS/uo6HCs2K9ChmLl/G/yLtLVunt GikA== X-Gm-Message-State: AOAM533yzyPtiavoLf4BTjBl/yDVNvsUDzi1p5OjW9OPb+DE+2XeQULK zrFx1QAzynZRdS4l48sYm2WbMjR860dgidag8SyyGg== X-Google-Smtp-Source: ABdhPJzamCYjWL62XOVafU/lfT1+gvOW6fHY3foXcJUjW5sIZ7nwIL5Ud/uF1hK7Byk97E5ltwRX0YB2Nq2acJ/aRKU= X-Received: by 2002:ac2:548e:: with SMTP id t14mr2406963lfk.617.1624359576916; Tue, 22 Jun 2021 03:59:36 -0700 (PDT) MIME-Version: 1.0 References: <7b1af9310312e0b1435b93490160e08d@gmail.com> In-Reply-To: Date: Tue, 22 Jun 2021 11:59:26 +0100 Message-ID: To: Hans Henrik Bergan Cc: PHP internals Content-Type: multipart/alternative; boundary="00000000000091e66c05c558af34" Subject: Re: [PHP-DEV] [RFC] is_trusted - was is_literal From: craig@craigfrancis.co.uk (Craig Francis) --00000000000091e66c05c558af34 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 22 Jun 2021 at 11:31 am, Hans Henrik Bergan wrote: > How is one supposed to use this? like > > if(!is_trusted($val)){ > $val =3D htmlentities($str, ENT_QUOTES | ENT_HTML401 | ENT_SUBSTITUTE= | > ENT_DISALLOWED, 'UTF-8', true); > } > echo "
$val
"; No, if anything that=E2=80=99s the opposite, and almost Taint Checking. While this is covered in the RFC (https://wiki.php.net/rfc/is_literal) and will be best read in context, in summary: The developer does not use this function, instead you rely on libraries to do that work for you. In this case you would use a HTML Templating Library (which knows about all the complexities of HTML encoding), and you simply provide the trusted string =E2=80=98
?
=E2=80=98 and the values se= parately. The Libraries will then use is_trusted(), with something like this: https://github.com/craigfrancis/php-is-literal-rfc/blob/main/justification/= example.php?ts=3D4 Craig --00000000000091e66c05c558af34--