Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118739 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 76654 invoked from network); 4 Oct 2022 19:48:56 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 4 Oct 2022 19:48:56 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 869BB180553 for ; Tue, 4 Oct 2022 12:48:55 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-ej1-f43.google.com (mail-ej1-f43.google.com [209.85.218.43]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 4 Oct 2022 12:48:55 -0700 (PDT) Received: by mail-ej1-f43.google.com with SMTP id a2so11010266ejx.10 for ; Tue, 04 Oct 2022 12:48:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date; bh=lS/60xFuxuOsCd16xHvJdL0pcD7m5jssaNBU5Bb5i8Y=; b=nGy47vfF838W3GQUUmCl0G+M+DAKYEl2ZlFhIIojgAs8lxwzYoAP6STZWNMeYGXEG7 tVqWse5mJ7dQeQ+ZwQiiL7qugYCP2K3sLCPHONUb6Zw213WwkRQ5azXnaoR+++9FAMba pq/sGiyFRpozSyWXBHXLnhB6Jei3+PmHisPkoV1hqmojKVjIlf486lqPN4k1ua8MasbK hCp02orMryXa58soJ6H+3WM3ZFqhO9Z1yPWXLsYgxoAJWEeFurFPB5nEBBdBZx/aIc0y YpSHDRlybmnxOuROcB/HaYqKEcx9A+m7govxI7zVCay3nWapsyQWNdyF3tPemyFM1SjI 0icA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date; bh=lS/60xFuxuOsCd16xHvJdL0pcD7m5jssaNBU5Bb5i8Y=; b=Nb33xbhHvhU7nGDbEpgove6o1k7dc742PpyoHw+OEek51/RdmSMcXlvGi4UR7CoXXI vG5MAsleAdO+pOeH7tWYtu4ojXUHqRcjXhw7COsVXKt7UcdyQcf76eRf9Oor15Rt/ebD bOqi7CaVbrGQJ/N3z6I8iZ7k0MG0j678pP2GeNrPxD60qu/ftZ3XkkoEY4L4xUlor9YU 1wtXxoiaIP1kG1TIkZ25+qTHVxbEqO6wYEOpYlfPBwEYb/HDdUa8ZPPz7Za/Bw54jaEN ytajqj3PhVQo+gUC2ghzTTAPUcwbzQNh4DT3v7PpHO/KXiArJRauxmpurVdd1qMFaXt/ UjMQ== X-Gm-Message-State: ACrzQf1PPtvcC8o0E9/5G2aDI1O7n+3xxxOdKbO79AdSWCOE1NM2t+/4 CG3qVXPp26OMc4wHzl6BTIs= X-Google-Smtp-Source: AMsMyM7hDyzUcNKwtNhBGrtAjPdPngJl07mkyrlTSNG3EfOu1+TZKzdeS64HrsVaw+29RX6t9ydO3A== X-Received: by 2002:a17:906:5a5f:b0:78b:1fa6:f19 with SMTP id my31-20020a1709065a5f00b0078b1fa60f19mr9671778ejc.405.1664912933817; Tue, 04 Oct 2022 12:48:53 -0700 (PDT) Received: from smtpclient.apple ([89.249.45.14]) by smtp.gmail.com with ESMTPSA id l3-20020a170906644300b0077a201f6d1esm7491157ejn.87.2022.10.04.12.48.52 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 04 Oct 2022 12:48:53 -0700 (PDT) Message-ID: <5E9CC8B8-7674-48D5-841B-1C87263446AB@gmail.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_14CA7176-EB63-4871-9FA2-1C2F9F4BA699" Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\)) Date: Tue, 4 Oct 2022 21:48:52 +0200 In-Reply-To: Cc: PHP internals To: Kamil Tekiela References: X-Mailer: Apple Mail (2.3696.120.41.1.1) Subject: Re: [PHP-DEV] Sanitize filters From: claude.pache@gmail.com (Claude Pache) --Apple-Mail=_14CA7176-EB63-4871-9FA2-1C2F9F4BA699 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi, > FILTER_SANITIZE_ENCODED > FILTER_SANITIZE_SPECIAL_CHARS See https://www.php.net/manual/en/function.filter-input.php = Example #1 for = an example of use. Apparently, =E2=80=9Cescaping=E2=80=9D is considered = as part of =E2=80=9Csanitizing=E2=80=9D? If you want to educate your users, you can consider to deprecate them in = favor of FILTER_DEFAULT followed by `urlencode()`, respectively = `htmlspecialchars()`. Ditto for various other FILTER_SANITIZE_* filters. > FILTER_UNSAFE_RAW My wild guess is that =E2=80=9Cunsafe=E2=80=9D means that =E2=80=9Cit is = dangerous to use the result in random contexts (i.e., without properly = escaping it, because we assume that you don=E2=80=99t even know what = =E2=80=9Cescape=E2=80=9D means). Use FILTER_SANITIZE_ENCODED, = FILTER_SANITIZE_SPECIAL_CHARS and/or FILTER_SANITIZE_MAGIC_QUOTES if you = want to be safe=E2=80=9D (for some nonstandard definition of = =E2=80=9Csafe=E2=80=9D). Of course, it should be renamed, because = =E2=80=9Csafety=E2=80=9D may be achieved by alternative means. =E2=80=94Claude --Apple-Mail=_14CA7176-EB63-4871-9FA2-1C2F9F4BA699--