Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63050
Return-Path: <dragoonis@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 94997 invoked from network); 18 Sep 2012 11:32:39 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Sep 2012 11:32:39 -0000
Authentication-Results: pb1.pair.com smtp.mail=dragoonis@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=dragoonis@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.170 as permitted sender)
X-PHP-List-Original-Sender: dragoonis@gmail.com
X-Host-Fingerprint: 209.85.214.170 mail-ob0-f170.google.com  
Received: from [209.85.214.170] ([209.85.214.170:52400] helo=mail-ob0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C2/14-07072-6DB58505 for <internals@lists.php.net>; Tue, 18 Sep 2012 07:32:38 -0400
Received: by obbwc18 with SMTP id wc18so11166186obb.29
        for <internals@lists.php.net>; Tue, 18 Sep 2012 04:32:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=nzDJBxxXLOPZDROiwGmNePElX+KYzEjj+Z3yrRYmlKQ=;
        b=qmgpbgak1+eRj4VKskHQwvUyMqESrZdvghpoYFbF5ggchsO/NRMw+jWOT/0N/4wjJr
         6LNZ+DDT7AG0TK5x3kO1D3KXWt6XVY+8GOw/+UxYb0BFXCpVyoX8f7W+N4yUKTPOaD2L
         txHNmO0vz5KBVsbQV4VlfDu6wyrx+A/SinKZSWJgFBB45U0ZodtduWpTIB7Hyn0N3zVF
         QconxpaOIreAt4GJP6yxByTqnOyDQY8gKXhSNnJZS/yGHjfTnjm3vLzUNrKX+lCz9jKU
         K/8YuEgoEhl1jYmL0iKsh25CWxR0P+QjBZODOhk64SPvsf84HUZBz1N6TRBMUk+6ubTY
         P+ig==
MIME-Version: 1.0
Received: by 10.60.22.71 with SMTP id b7mr8578482oef.6.1347967955366; Tue, 18
 Sep 2012 04:32:35 -0700 (PDT)
Received: by 10.60.18.164 with HTTP; Tue, 18 Sep 2012 04:32:35 -0700 (PDT)
In-Reply-To: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com>
References: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com>
Date: Tue, 18 Sep 2012 12:32:35 +0100
Message-ID: <CAKxcST9tvBLGsg9iKzGk6u26p0SJqgPJ73RLXkE3GK8d7RnNMA@mail.gmail.com>
To: =?ISO-8859-1?Q?P=E1draic_Brady?= <padraic.brady@gmail.com>
Cc: internals@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class
From: dragoonis@gmail.com (Paul Dragoonis)

Hi Paddy,

Couldn't this just be a new option for the filter_var() function?

$clean =3D filter_var($_POST['someVar'], XSS_CLEAN);

- Paul.

On Tue, Sep 18, 2012 at 12:30 PM, P=E1draic Brady <padraic.brady@gmail.com>=
 wrote:
> Hi all,
>
> I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper.
> The RFC is a proposal to implement a standardised means of escaping
> data which is being output into XML/HTML.
>
> Cross-Site Scripting remains one of the most common vulnerabilities in
> web applications and there is a continued lack of understanding
> surrounding how to properly escape data. To try and offset this, I've
> written articles, attempted to raise awareness and wrote the
> Zend\Escaper class for Zend Framework. Symfony 2's Twig has since
> adopted similar measures in line with its own focus on security.
>
> That's all. The RFC should be self-explanatory and feel free to pepper
> me with questions. As the RFC notes, I'm obviously not a C programmer
> so I'm reliant on finding a volunteer who's willing to take this one
> under their wing (or into their basement - whichever works).
>
> https://wiki.php.net/rfc/escaper
>
> Best regards,
> Paddy
>
> --
> P=E1draic Brady
>
> http://blog.astrumfutura.com
> http://www.survivethedeepend.com
> Zend Framework Community Review Team
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>