Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63049
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 93107 invoked from network); 18 Sep 2012 11:30:36 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Sep 2012 11:30:36 -0000
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com  
Received: from [209.85.160.42] ([209.85.160.42:33577] helo=mail-pb0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 7F/93-07072-95B58505 for <internals@lists.php.net>; Tue, 18 Sep 2012 07:30:34 -0400
Received: by pbbrp8 with SMTP id rp8so11116687pbb.29
        for <internals@lists.php.net>; Tue, 18 Sep 2012 04:30:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=raYdeYvWAQYBKL81iIE8ZfK+yMgWxvDuxn7NJFjq37w=;
        b=PZwghcowGpHMOSy95gYCln/yrCLm5pgQwj0fU+xuPWBhAo0+Aa9Cbmh82CNgumotpP
         Dl7RVJadAElEn9iyrkkmdCkFWTwvG4FjvPUi39zwK9t1jOgjTtdfBd/mvZAi8PtX6MfZ
         yXnHHVWI7mfn/oOCl/7sNWioTuMBTmVsl7dH36m+6ckYoXv9ORVko331H7ZyaCaD8uOr
         hsrdIfeTvbcjIdvTL1RJ7ti5vRDN3UgMxi0X9gHQV6Okk9vwQIoaduF7BymlQySH7sCK
         r9LeYcUPZVuPH9KAIzI4xcLguDTPwUvMxKtL8eILSR14wj+A0UpxdcPh2wkSU+6fCpAH
         yT8g==
MIME-Version: 1.0
Received: by 10.68.233.198 with SMTP id ty6mr717853pbc.107.1347967831337; Tue,
 18 Sep 2012 04:30:31 -0700 (PDT)
Received: by 10.66.73.42 with HTTP; Tue, 18 Sep 2012 04:30:31 -0700 (PDT)
Date: Tue, 18 Sep 2012 12:30:31 +0100
Message-ID: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com>
To: internals@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: RFC: Implementing a core anti-XSS escaping class
From: padraic.brady@gmail.com (=?ISO-8859-1?Q?P=E1draic_Brady?=)

Hi all,

I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper.
The RFC is a proposal to implement a standardised means of escaping
data which is being output into XML/HTML.

Cross-Site Scripting remains one of the most common vulnerabilities in
web applications and there is a continued lack of understanding
surrounding how to properly escape data. To try and offset this, I've
written articles, attempted to raise awareness and wrote the
Zend\Escaper class for Zend Framework. Symfony 2's Twig has since
adopted similar measures in line with its own focus on security.

That's all. The RFC should be self-explanatory and feel free to pepper
me with questions. As the RFC notes, I'm obviously not a C programmer
so I'm reliant on finding a volunteer who's willing to take this one
under their wing (or into their basement - whichever works).

https://wiki.php.net/rfc/escaper

Best regards,
Paddy

--=20
P=E1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team