Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118728 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 26883 invoked from network); 2 Oct 2022 16:41:43 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 2 Oct 2022 16:41:43 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 489411804C4 for ; Sun, 2 Oct 2022 09:41:42 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-vs1-f45.google.com (mail-vs1-f45.google.com [209.85.217.45]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 2 Oct 2022 09:41:41 -0700 (PDT) Received: by mail-vs1-f45.google.com with SMTP id n186so3461987vsc.9 for ; Sun, 02 Oct 2022 09:41:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=6ymLgM4ViAq+g1La2jumW0D6eIvNVK1JPHmVoErEPYo=; b=HSEfl+oOfus57SUj9dR3HNI12+e5SEHUnp6WU8Np4n94qA+YwWjdvp4G8QKro9BDoN Wq6Cp7+AfZZnhrFtxiceA2SGrTIvo2MmrjCvmGqs4FD6VhweFvG8Hkk7IjTXVDDo6PRa q/LU+vqeCeliTSrU7Jg2iaV6nyyGpUknYZqAdSWnKjZkd+5IzRX5ythEBNFxozwyEO1T Em7NZloivRmRjoq9CYmmf4DOgLO92Mmg+Fo9kNGA+X1ekry6dPIdh/aHtP9GfWnh3nju O0a9jUk10zn7IlzrFnoiypdFWWKuyNSi4jf889JDLjqQcngFpsqg7/J1TAhoyf6pz6MV tSoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=6ymLgM4ViAq+g1La2jumW0D6eIvNVK1JPHmVoErEPYo=; b=ecDhdAKi6MTkqM6VDLHcCo/j9enc/iMxkyL0tV+EF9S0KMeXOqPGPkdGgIRK+v1XO1 HsZVtM0pdILDebRYZ8OKlYVYzJ/KuGszeuvGQ5Cq7s64wceYN7CNKpBZQb4Te8LaxV0z rOD4pJukHMbjFS+O0LPyIOG0K0gaCgcxrknspPEJaZAQID+ZhHwaVUUsshkx8Taj9twE fWAQ1phN2B6UqrmZvI5qTk+omzZVrTgEPPC6/kQIIadluTWvXqKvPdesPqIIqRS8Vq69 56CBVPKQKvMlW6X8dsanFh5jCaxFyMeQh7MKgLGdH5LeXXT7D2qgPFitg4JAnvyDIiSy PSRQ== X-Gm-Message-State: ACrzQf3tYjFVOh4ZAYfH+TKqULKYmX4ugEl5+ggWd40+HUuEq3m7cGT0 43XGSoF/Np6VwbmcRLspTWP3US99lpta76TN9UwU4R7pHd4= X-Google-Smtp-Source: AMsMyM6r3dHWN79MZUWWEbwXQIO/qiK0QbTO+6ZQRib4utZPlXCWQjvOGLD4RcKT6ZsMjTkKpYYT/LWpjgKsJH4fUoE= X-Received: by 2002:a67:f684:0:b0:392:ac17:f9b0 with SMTP id n4-20020a67f684000000b00392ac17f9b0mr7321971vso.85.1664728900541; Sun, 02 Oct 2022 09:41:40 -0700 (PDT) MIME-Version: 1.0 References: <0cfb9a7b-1168-42ef-ae1a-bdc72210de43@app.fastmail.com> In-Reply-To: <0cfb9a7b-1168-42ef-ae1a-bdc72210de43@app.fastmail.com> Date: Sun, 2 Oct 2022 18:41:22 +0200 Message-ID: To: Larry Garfield Cc: php internals Content-Type: multipart/alternative; boundary="000000000000c3a29505ea0fe676" Subject: Re: [PHP-DEV] Sanitize filters From: divinity76@gmail.com (Hans Henrik Bergan) --000000000000c3a29505ea0fe676 Content-Type: text/plain; charset="UTF-8" FILTER_SANITIZE_EMAIL should burn. If you have a bad email address, i can't imagine the correct solution is to remove characters until it becomes valid, short of a trim() On Sun, Oct 2, 2022, 17:10 Larry Garfield wrote: > On Sat, Oct 1, 2022, at 10:39 AM, Kamil Tekiela wrote: > > Hi Internals, > > > > For quite some time now, PHP's sanitize filters have "Rustled My > Jimmies". > > These filters bother me because I can't really justify their existence. I > > can understand that a few of them are sensible and may come in handy, > but I > > would like to talk about some of these in particular. > > > > In PHP 8.1, we have deprecated FILTER_SANITIZE_STRING which I deemed to > be > > a priority due to its confusing name and behaviour. The rest is slightly > > less dangerous, but as was pointed out to me in a recent conversation > with > > a PHP developer, these filters are all very confusing. > > > > I would like to have some opinions on the following filters. What do you > > think we should do with them? Deprecate? Fix? Provide better > documentation? > > > > --- > > > > *FILTER_SANITIZE_ENCODED *- "URL-encode string, optionally strip or > encode > > special characters." > > Now, what does that mean? PHP has two functions for URL encoding: > urlencode > > used for encoding query-string parts, and rawurlencode used for encoding > > any other URL part (two different RFCs are followed by these functions). > > Which of these RFCs is applied in this filter? Furthermore, the > description > > says that "special characters" can be stripped or encoded. Is one of > these > > actions the default and the other can be selected by a flag or are both > > optional? What are these special characters? Are they special in the > > context of URL? If so, why did we encode them first? If these are HTML > > special characters (there's no single definition of special HTML chars), > > then why does this filter encode them if the filter is for URL > > sanitization? What does backtick have to do with any of this > > (FILTER_FLAG_STRIP_BACKTICK)? > > > > *FILTER_SANITIZE_ADD_SLASHES - "*Apply addslashes(). (Available as of PHP > > 7.3.0)" > > This filter was added as a replacement for magic_quotes filter. According > > to PHP documentation, addslashes is supposed to be used when injecting > PHP > > variables into eval'd string. Real-life showed that this function is used > > in a lot of places that have nothing to do with PHP's eval. I am not sure > > if the sanitize filter is misused in a similar fashion, but judging from > > the fact that it was meant as a replacement for magic_quotes, my guess is > > that it's very likely still abused. > > > > *FILTER_SANITIZE_EMAIL *- "Remove all characters except letters, digits > and > > !#$%&'*+-=?^_`{|}~@.[]." > > Which RFC does this adhere to? It strips slashes and quoted parts, > doesn't > > allow IPv6 addresses and doesn't accept RFC 6530 email addresses. This > > filter is ok for simple usage, but it isn't true to any known > specification > > AFAIK. > > > > *FILTER_SANITIZE_SPECIAL_CHARS *- "HTML-encode '"<>& and characters with > > ASCII value less than 32, optionally strip or encode other special > > characters." > > What's the intended purpose of this filter? "Special characters" are > still > > not clearly defined, but at least it's more clear than > > the FILTER_SANITIZE_ENCODED description. Same question about backticks > > though: why? Why encode ASCII <32 chars? > > > > *FILTER_SANITIZE_FULL_SPECIAL_CHARS *- "Equivalent to calling > > htmlspecialchars() with ENT_QUOTES set. Encoding quotes can be disabled > by > > setting FILTER_FLAG_NO_ENCODE_QUOTES. Like htmlspecialchars(), this > filter > > is aware of the default_charset and if a sequence of bytes is detected > that > > makes up an invalid character in the current character set then the > entire > > string is rejected resulting in a 0-length string. When using this filter > > as a default filter, see the warning below about setting the default > flags > > to 0." > > Not to be mistaken with FILTER_SANITIZE_SPECIAL_CHARS. As long as it's > not > > used with filter_input(), it's the least problematic. We > > have htmlspecialchars() though, so how useful is this filter? > > > > *FILTER_UNSAFE_RAW *- What makes it unsafe? Why isn't this just > > called FILTER_RAW_STRING? If the value being filtered is something other > > than a string, what will this filter return? Integers, floats, booleans > and > > nulls are converted to a string, Arrays and objects make the filter fail. > > > > --- > > > > Let's quickly mention the filter flags. > > > > The FILTER_FLAG_STRIP_LOW flag will also remove tabs, carriage returns > and > > newlines as these are all less than 32 ASCII codes. When is this useful > and > > expected? > > > > The FILTER_FLAG_ENCODE_LOW flag "encodes" ASCII <32 codes presumably into > > HTML entities, although that's not specified anywhere in the PHP manual. > > The word HTML does not appear on the > > https://www.php.net/manual/en/filter.filters.flags.php page. What do > these > > characters look like when presented by HTML? When is it ever useful to > use > > this flag? > > > > FILTER_FLAG_ENCODE_AMP & FILTER_FLAG_STRIP_BACKTICK - why is this even a > > thing? > > > > Due to flags, FILTER_VALIDATE_EMAIL will happily validate email addresses > > that would be otherwise mangled by FILTER_SANITIZE_EMAIL. > > > > These are just the things I found confusing and strange about the > sanitize > > filters. Let's try to put ourselves in the shoes of an average PHP > > developer trying to comprehend these filters. It's quite easy to shoot > > yourself in the foot if you try to use them. The PHP manual doesn't do a > > good job of explaining them, but that's probably because they are not > easy > > to explain. I can't come up with good examples of when they should be > used. > > > > Regards, > > Kamil > > The filter extension has always been a stillborn mess. Its API is an > absolute disaster and, as you note, its functionality is unclear at best, > misleading at worst. Frankly it's worse than SPL. > > I'd be entirely on board with jettisoning the entire thing, but baring > that, ripping out large swaths of it that are misleading suits me fine. > > --Larry Garfield > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: https://www.php.net/unsub.php > > --000000000000c3a29505ea0fe676--