Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60929
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 90488 invoked from network); 21 Jun 2012 18:39:09 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Jun 2012 18:39:09 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.170 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.160.170 mail-gh0-f170.google.com  
Received: from [209.85.160.170] ([209.85.160.170:41593] helo=mail-gh0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AE/70-21324-C4A63EF4 for <internals@lists.php.net>; Thu, 21 Jun 2012 14:39:08 -0400
Received: by ghbg2 with SMTP id g2so916138ghb.29
        for <internals@lists.php.net>; Thu, 21 Jun 2012 11:39:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=pIGx38Xe3zTv64k3YNllQKgTzMxoTpYqxtqmznAt1OA=;
        b=0ZSs3yszC9lFuvyqjPcO/6FmDieO1tRBxzPwN5x1yHMTPtNgL74MkMoEPtz9dw2R9z
         hLAIolHHP6SHkHd7R6ny0Nwywa6ZnWsINIoURdjj0A3sLhb4WILSLnrkqECB5LFB7WR1
         E83xUwsiqE4xpQwA7DztrdTozha9VAzd5uqFQhk/XCAE+y0JPvQQFb+rpZ+keC0GjwOx
         L2qWURN8u3DdbaP9U4dTdYcFt5p/AGUh3xcyCQRbztgJPCo3zaa28AkhRXBcPNqNuP8w
         Fw4Jo2JKDl9skPQ5kO1TxhSUgOdSBxdLQK10cI+v6tV/bm6PPesxdJPbuXOnORNNs+/B
         omfw==
MIME-Version: 1.0
Received: by 10.236.186.72 with SMTP id v48mr33380776yhm.18.1340303945034;
 Thu, 21 Jun 2012 11:39:05 -0700 (PDT)
Received: by 10.147.113.7 with HTTP; Thu, 21 Jun 2012 11:39:04 -0700 (PDT)
In-Reply-To: <4FE33EDF.2000409@lerdorf.com>
References: <CAF+90c-T9hPbuS3bUxnHw-+B+Y2VLu55wQJ8UrtzrcC7TiKyVw@mail.gmail.com>
	<20120621141241.GA25789@analysisandsolutions.com>
	<CAF+90c8=5C_C9wa0q-Tf0OB2vKBow2PH8Nqu5n2SUm=xU1gKgQ@mail.gmail.com>
	<4FE33EDF.2000409@lerdorf.com>
Date: Thu, 21 Jun 2012 20:39:04 +0200
Message-ID: <CAEZPtU6THsovA+hfN7tq+GiEbP5xn196cOqhNhcwTY02KJNs-Q@mail.gmail.com>
To: Rasmus Lerdorf <rasmus@lerdorf.com>
Cc: Nikita Popov <nikita.ppv@googlemail.com>, 
	Daniel Convissor <danielc@analysisandsolutions.com>, PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] json_encode() behavior for incorrectly encoded strings
From: pierre.php@gmail.com (Pierre Joye)

hi Rasmus,

On Thu, Jun 21, 2012 at 5:33 PM, Rasmus Lerdorf <rasmus@lerdorf.com> wrote:

> The problem with a warning here is that there is usually no way to
> prevent it short of using @ or preceding all calls to htmlspecialchars()
> with an iconv() call. A bad guy can simply send invalid UTF-8 bytes to a
> web app and look for that warning to get a really good idea about the
> server software being used. And yes, I know people should have
> display_errors off in production, but this case is slightly different
> because it is so universal. Other user-triggerable warnings are very
> code-dependent and there is no universal trigger string you can send to
> all PHP apps. Almost all PHP apps call htmlspecialchars() on user input
> at some point.

I have no problem to raise a warning here, but it must respect display_error.


Cheers,
-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org