Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:53577 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 50311 invoked from network); 24 Jun 2011 19:52:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Jun 2011 19:52:25 -0000 Authentication-Results: pb1.pair.com smtp.mail=devis@oracolo.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=devis@oracolo.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain oracolo.com from 209.85.210.170 cause and error) X-PHP-List-Original-Sender: devis@oracolo.com X-Host-Fingerprint: 209.85.210.170 mail-iy0-f170.google.com Received: from [209.85.210.170] ([209.85.210.170:36494] helo=mail-iy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 39/92-34660-7FAE40E4 for ; Fri, 24 Jun 2011 15:52:24 -0400 Received: by iym1 with SMTP id 1so3204146iym.29 for ; Fri, 24 Jun 2011 12:52:20 -0700 (PDT) Received: by 10.231.66.135 with SMTP id n7mr2979902ibi.189.1308945139992; Fri, 24 Jun 2011 12:52:19 -0700 (PDT) MIME-Version: 1.0 Sender: devis@oracolo.com Received: by 10.231.190.74 with HTTP; Fri, 24 Jun 2011 12:50:13 -0700 (PDT) In-Reply-To: References: <4E03AFFA.7060005@sugarcrm.com> Date: Fri, 24 Jun 2011 20:50:13 +0100 X-Google-Sender-Auth: MbMR5rWEhC0cjxwRT_KvNm1AMmo Message-ID: To: PHP Developers Mailing List Content-Type: multipart/alternative; boundary=00151773e12c19871004a67a8a3a Subject: Re: [PHP-DEV] html_errors default settings From: devis@lucato.it --00151773e12c19871004a67a8a3a Content-Type: text/plain; charset=UTF-8 I found these The error handling output was found to not properly escape HTML output in > certain cases. An attacker could use this flaw to perform cross-site > scripting attacks against sites where both display_errors and html_errors > are enabled. > http://www.nessus.org/plugins/index.php?view=single&id=21594 https://bugs.gentoo.org/show_bug.cgi?id=125878 I like PHP being configured for production, the safer approach. Does xdebug strictly depend on this setting? On 24 June 2011 09:55, Pierre Joye wrote: > hi, > > On Thu, Jun 23, 2011 at 11:40 PM, Derick Rethans wrote: > > > They are not useful in production, but as distributions use the > > "php.ini-production", even PHP developer that uses a distribution > > package now doesn't use the "php.ini-development" settings. Hence, no > > more HTML errors and people bitch. > > It looks to me like a distro bug or feature request, not a php issue. > They should (and I remember having asked ubuntu to provide such > option) ask the users which kind of environment they wish. > > > They "depend" by choice. Xdebug simply enhances how things show up, and > > does not want to mess with the settings that people have already made, > > as that's even a larger WTF point. > > > > The main points are that: > > > > 1. the default changed between 5.2 and 5.3, and I'd like to restore it > > 2. html_errors shouldn't mean that the docref stuff is turned on > > automatically. The docref stuff is the annoying part, not the HTML > > formatting. HTML formatting in production is *not* a problem (you > > should have display_errors=0 anyway). > > Main goal: make it easier for developers. > > That brings one question, what were the reasons to change that back > then? And why is it a good thing to restore them now, besides xdebug? > > Cheers, > -- > Pierre > > @pierrejoye | http://blog.thepimp.net | http://www.libgd.org > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --00151773e12c19871004a67a8a3a--