Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118785
Return-Path: <yohgaki@ohgaki.net>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 90083 invoked from network); 8 Oct 2022 15:29:13 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 8 Oct 2022 15:29:13 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 508EE1804AB
	for <internals@lists.php.net>; Sat,  8 Oct 2022 08:29:12 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,SPF_HELO_SOFTFAIL,
	SPF_PASS,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS4713 180.0.0.0/10
X-Spam-Virus: No
X-Envelope-From: <yohgaki@ohgaki.net>
Received: from mx3.es-i.jp (gw1.es-i.jp [180.42.98.129])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat,  8 Oct 2022 08:29:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=ohgaki.net; s=default; h=MIME-Version:References:In-Reply-To:
	From:Date:Message-ID:Subject:To:Cc:Content-Type; bh=lMM+z0c7/CTF
	U08QvFaobry83xL58dDljOTW+2guSi8=; b=Tuyb2acU7eLMW0UKJPJfxJ0PeWgE
	1f75Genz/IRCWUV4Rfv3Q+p4fHEMO7h71UlWYv+6ZpGUwc+GAsqDvB7d6hTjCVjC
	/+aJf9hfZahVhMj7cdeGjjWDol5sLHWIg14TGXEnVymeUpdvXyjOeOlY/NcLpY7x
	ypfeApaj81si6Cr2r0zDsLWWidjItzQFa3RhaZCk2Bt4wsfKfuamCeoKye+xtks6
	5rLyrFXt46JB+IgOojp0VuoLOc0B7YR6YjdW3OXM/wc1KFwQuZNNvTjugNAcCMyg
	stPk0+vPff71gSHKTV6vDNANZ9NcjILTXzZ5fno11mSyDWxMsqI8LGXRCA==
Received: (qmail 18025 invoked by uid 89); 8 Oct 2022 15:29:08 +0000
Received: from mail-oo1-f49.google.com (yohgaki@ohgaki.net)
  by mx3.es-i.jp with ESMTPA; 8 Oct 2022 15:29:08 +0000
Received: by mail-oo1-f49.google.com with SMTP id g15-20020a4a894f000000b0047f8e899623so5374207ooi.5
        for <internals@lists.php.net>; Sat, 08 Oct 2022 08:29:07 -0700 (PDT)
X-Gm-Message-State: ACrzQf3CvwoT5IgA4cXNUoHxuk+ITjUjFF+H5lGPzyetmTRYnHIJSlUU
	ZKKCVpyZP86qf5rw63FoNuC208/gmU0T6pYE3Q==
X-Google-Smtp-Source: AMsMyM72fUT3S//WlvpJKiDHe89gDcr63vuk8j4qtJeifeYmahdVhsCFN6Rc6K3uGJwx6IWInqz7IucCd7FsyEgHiz4=
X-Received: by 2002:a9d:664f:0:b0:655:f8d7:913 with SMTP id
 q15-20020a9d664f000000b00655f8d70913mr4245077otm.298.1665242943154; Sat, 08
 Oct 2022 08:29:03 -0700 (PDT)
MIME-Version: 1.0
References: <CAGBsUrdri=hXQHy5JnVhpiz51FbnqVBHjrBg9-tj8m=vzfZtzA@mail.gmail.com>
In-Reply-To: <CAGBsUrdri=hXQHy5JnVhpiz51FbnqVBHjrBg9-tj8m=vzfZtzA@mail.gmail.com>
Date: Sun, 9 Oct 2022 00:28:26 +0900
X-Gmail-Original-Message-ID: <CAGa2bXYUCBSCXuCDtk9GuVOeQiOG2AUPbZb1m9HCy6mUFwuVAg@mail.gmail.com>
Message-ID: <CAGa2bXYUCBSCXuCDtk9GuVOeQiOG2AUPbZb1m9HCy6mUFwuVAg@mail.gmail.com>
To: Kamil Tekiela <tekiela246@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000017709e05ea879634"
Subject: Re: [PHP-DEV] Sanitize filters
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--00000000000017709e05ea879634
Content-Type: text/plain; charset="UTF-8"

Kamil Tekiela <tekiela246@gmail.com>:

> These are just the things I found confusing and strange about the sanitize
> filters. Let's try to put ourselves in the shoes of an average PHP
> developer trying to comprehend these filters. It's quite easy to shoot
> yourself in the foot if you try to use them. The PHP manual doesn't do a
> good job of explaining them, but that's probably because they are not easy
> to explain. I can't come up with good examples of when they should be used.
>

I agree there are many confusing names/features/behaviors.
IMO, input validation and output sanitization should be 2 different
features.

https://wiki.sei.cmu.edu/confluence/display/seccode/Top+10+Secure+Coding+Practices

Input validation is the 1st secure coding principle for input data
handling. Output sanitization
is the 7th secure coding principle for output data handling. Filter module
is mixing these up.
(And input validation should not sanitize input, but validate. Otherwise,
the web app is not
OWASP TOP 10 compliant. i.e. OWASP TOP 10 A09:2021 requires to detect DAST
attacks)

I wrote the input validation part years ago, if anyone is interested.
https://github.com/yohgaki/validate-php (Obsolete  C module. Do not use)
https://github.com/yohgaki/validate-php-scr (PHP library)

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--00000000000017709e05ea879634--