Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:33527 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 64209 invoked by uid 1010); 29 Nov 2007 23:42:09 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 64194 invoked from network); 29 Nov 2007 23:42:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Nov 2007 23:42:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.162 as permitted sender) X-PHP-List-Original-Sender: stas@zend.com X-Host-Fingerprint: 212.25.124.162 mail.zend.com Windows 2000 SP4, XP SP1 Received: from [212.25.124.162] ([212.25.124.162:57644] helo=mx1.zend.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5B/F6-32949-F4E4F474 for ; Thu, 29 Nov 2007 18:42:08 -0500 Received: from us-ex1.zend.com ([192.168.16.5]) by mx1.zend.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 30 Nov 2007 01:42:03 +0200 Received: from [192.168.16.91] ([192.168.16.91]) by us-ex1.zend.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 29 Nov 2007 15:42:00 -0800 Message-ID: <474F4E47.8050506@zend.com> Date: Thu, 29 Nov 2007 15:41:59 -0800 Organization: Zend Technologies User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Sara Golemon CC: omar@php.net, PHP Internals References: <474F0EE7.8020201@php.net> In-Reply-To: <474F0EE7.8020201@php.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 29 Nov 2007 23:42:00.0348 (UTC) FILETIME=[6FB8EDC0:01C832E1] Subject: Re: [PHP-DEV] Proposed feature for json_encode() From: stas@zend.com (Stanislav Malyshev) > To that end, the attached patch allows the caller to be paranoid about > their data and stipulate that <>&' should be encoded to hex references > instead. This doesn't stop a web developer from dropping that content > into an innerHTML of course, but it's one more rope holding the ship > together. Can you explain when it's going to help? I.e. if the concern is that somebody would stick it in the DOM as-is and have something like XSS with these data, then encoding it as \u is not enough, as far as I understand. If it's not the concern, then I'm not sure what are the use case - when such encoding is necessary? -- Stanislav Malyshev, Zend Software Architect stas@zend.com http://www.zend.com/ (408)253-8829 MSN: stas@zend.com