Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:33534 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 89467 invoked by uid 1010); 30 Nov 2007 00:49:33 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 89452 invoked from network); 30 Nov 2007 00:49:32 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Nov 2007 00:49:32 -0000 Authentication-Results: pb1.pair.com smtp.mail=pollita@php.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pollita@php.net; sender-id=pass; domainkeys=good Received-SPF: pass (pb1.pair.com: domain php.net designates 140.211.166.39 as permitted sender) DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: pollita@php.net X-Host-Fingerprint: 140.211.166.39 osu1.php.net Linux 2.4/2.6 Received: from [140.211.166.39] ([140.211.166.39:45929] helo=osu1.php.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E5/4B-32949-C1E5F474 for ; Thu, 29 Nov 2007 19:49:32 -0500 DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws; s=mx; d=php.net; h=From:Subject:To:Date; b=MM2Vm63vVekUeghgzSSYO4squO9wx78kNEQjsf2OUxrkQzGBUeNMSxyVtZ6NRfr3 CeDhV0G6ZlPM7giUcWtRUsriuGG87ujGaFkB5zZOapM41Ic4+6KTd+CAlIpmCvIv Authentication-Results: osu1.php.net smtp.mail=pollita@php.net; spf=neutral; sender-id=neutral Authentication-Results: osu1.php.net header.from=pollita@php.net; sender-id=neutral Authentication-Results: osu1.php.net smtp.user=pollita; auth=pass (LOGIN) Received: from [216.145.49.21] ([216.145.49.21:1469] helo=[10.72.123.161]) by osu1.php.net (envelope-from ) (ecelerity 2.2.1.23 r(20596)) with ESMTPSA (cipher=none) id 22/80-28200-62E5F474; Thu, 29 Nov 2007 16:49:43 -0800 Message-ID: <474F5E12.1050404@php.net> Date: Thu, 29 Nov 2007 16:49:22 -0800 User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Stanislav Malyshev CC: omar@php.net, PHP Internals References: <474F0EE7.8020201@php.net> <474F4E47.8050506@zend.com> In-Reply-To: <474F4E47.8050506@zend.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Proposed feature for json_encode() From: pollita@php.net (Sara Golemon) >> To that end, the attached patch allows the caller to be paranoid about >> their data and stipulate that <>&' should be encoded to hex references >> instead. This doesn't stop a web developer from dropping that content >> into an innerHTML of course, but it's one more rope holding the ship >> together. > > Can you explain when it's going to help? I.e. if the concern is that > somebody would stick it in the DOM as-is and have something like XSS > with these data, then encoding it as \u is not enough, as far as I > understand. If it's not the concern, then I'm not sure what are the use > case - when such encoding is necessary? You're absolutely correct that this won't save us from brain-dead engineers, what it will save us from is broken browsers which misinterpret otherwise legitimate data and get broken out of their proper context. (Yes, I've seen browsers do exactly this, and you can probably guess which versions) -Sara Short version, broken browsers have made me bitter and untrusting.