Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33610
Return-Path: <stas@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 29853 invoked by uid 1010); 3 Dec 2007 22:27:50 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 29838 invoked from network); 3 Dec 2007 22:27:49 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Dec 2007 22:27:49 -0000
Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.162 as permitted sender)
X-PHP-List-Original-Sender: stas@zend.com
X-Host-Fingerprint: 212.25.124.162 mail.zend.com Windows 2000 SP4, XP SP1
Received: from [212.25.124.162] ([212.25.124.162:38524] helo=mx1.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 31/8A-02463-5B284574 for <internals@lists.php.net>; Mon, 03 Dec 2007 17:27:02 -0500
Received: from us-ex1.zend.com ([192.168.16.5]) by mx1.zend.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Tue, 4 Dec 2007 00:26:58 +0200
Received: from [192.168.16.91] ([192.168.16.91]) by us-ex1.zend.com with Microsoft SMTPSVC(6.0.3790.1830);
	 Mon, 3 Dec 2007 14:26:55 -0800
Message-ID: <475482AF.3050800@zend.com>
Date: Mon, 03 Dec 2007 14:26:55 -0800
Organization: Zend Technologies
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: Rasmus Lerdorf <rasmus@lerdorf.com>
CC: Sara Golemon <pollita@php.net>, omar@php.net, 
 PHP Internals <internals@lists.php.net>
References: <474F0EE7.8020201@php.net> <474F4E47.8050506@zend.com> <474F5E12.1050404@php.net> <474F5F75.3030808@zend.com> <475081DD.90404@php.net> <4750B3CA.20405@zend.com> <475101FF.5080103@lerdorf.com>
In-Reply-To: <475101FF.5080103@lerdorf.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 03 Dec 2007 22:26:55.0351 (UTC) FILETIME=[9C2FF070:01C835FB]
Subject: Re: [PHP-DEV] Proposed feature for json_encode()
From: stas@zend.com (Stanislav Malyshev)

> Stuff like this often isn't completely deterministic.  The attack
> vectors will move around and new ones will be discovered but since the
> syntax Sara is proposing is completely valid JSON it gives people
> another tool.  Documenting specific attack vectors is useful too, of
> course, but a secondary concern in my mind.

I'm not talking about attack vectors and full security analysis. For me, 
it is a primary concern having some security oriented feature to know 
*what exactly* it does and when you should and should not use it. We 
were burned repeatedly by implementing various cool features that were 
misused for doing things that they weren't meant to do and then we were 
blamed for it - so I think we need to have clear understanding of when 
and why this feature is useful and explicitly document it. Otherwise 
what would happen is that people would use this option, pass JS data 
through it, stick it into DOM, get XSS and start blogging about "huge 
XSS in supposedly secure json_encode() function in PHP".
Or, not seeing how it can help them, won't use it at all.
-- 
Stanislav Malyshev, Zend Software Architect
stas@zend.com   http://www.zend.com/
(408)253-8829   MSN: stas@zend.com