Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63051 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 96360 invoked from network); 18 Sep 2012 11:34:40 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Sep 2012 11:34:40 -0000 Authentication-Results: pb1.pair.com smtp.mail=dragoonis@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=dragoonis@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.170 as permitted sender) X-PHP-List-Original-Sender: dragoonis@gmail.com X-Host-Fingerprint: 209.85.214.170 mail-ob0-f170.google.com Received: from [209.85.214.170] ([209.85.214.170:57301] helo=mail-ob0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A2/64-07072-F4C58505 for ; Tue, 18 Sep 2012 07:34:39 -0400 Received: by obbwc18 with SMTP id wc18so11168253obb.29 for ; Tue, 18 Sep 2012 04:34:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=fhU8p+BEre8xdJqYWMSX6OATL8xS1/ZX87hfVOE/jq4=; b=CIKFL20TkFXc2Y1ggAdvp/QRA0L/Iltg5O35zOPAu5iccDGDKc6s3aVJO8R/kaz5xy 8Kdwz5omlSW9+08HRDnY+pU2dHiNuTFSaegzuHzGlQv+G110+CCAhMzifdkbO+qxnhPr 8km5/VxRMIGn2SHarfUQMxRBjcj4oFLUlS488jreZcAlbj9+BI3oySEUfIQOqCISH5pL EJLZWUk+PZOoj4Za3Ks0dlJK/4kCIxnlVD0pJWoOzRs3h5zHJG/jGUhUjN6rf2eIA7pK 9eNd5Nw8GPMO7jEq2utWon4Vb9iFS9gtPFVbP+SY4MDeHo1JFW94E74RcPMrkVZUXDhO gPaA== MIME-Version: 1.0 Received: by 10.182.145.35 with SMTP id sr3mr14472074obb.98.1347968076804; Tue, 18 Sep 2012 04:34:36 -0700 (PDT) Received: by 10.60.18.164 with HTTP; Tue, 18 Sep 2012 04:34:36 -0700 (PDT) In-Reply-To: References: Date: Tue, 18 Sep 2012 12:34:36 +0100 Message-ID: To: =?ISO-8859-1?Q?P=E1draic_Brady?= Cc: internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: dragoonis@gmail.com (Paul Dragoonis) On Tue, Sep 18, 2012 at 12:32 PM, Paul Dragoonis wrot= e: > Hi Paddy, > > Couldn't this just be a new option for the filter_var() function? > > $clean =3D filter_var($_POST['someVar'], XSS_CLEAN); I see from your RFC that you have a bunch of functions, I believe all these could be options to filter_var, ie.: FILTER_ESCAPE_[URL, JS, CSS, HTMLATTR]. - Paul. > > - Paul. > > On Tue, Sep 18, 2012 at 12:30 PM, P=E1draic Brady wrote: >> Hi all, >> >> I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper. >> The RFC is a proposal to implement a standardised means of escaping >> data which is being output into XML/HTML. >> >> Cross-Site Scripting remains one of the most common vulnerabilities in >> web applications and there is a continued lack of understanding >> surrounding how to properly escape data. To try and offset this, I've >> written articles, attempted to raise awareness and wrote the >> Zend\Escaper class for Zend Framework. Symfony 2's Twig has since >> adopted similar measures in line with its own focus on security. >> >> That's all. The RFC should be self-explanatory and feel free to pepper >> me with questions. As the RFC notes, I'm obviously not a C programmer >> so I'm reliant on finding a volunteer who's willing to take this one >> under their wing (or into their basement - whichever works). >> >> https://wiki.php.net/rfc/escaper >> >> Best regards, >> Paddy >> >> -- >> P=E1draic Brady >> >> http://blog.astrumfutura.com >> http://www.survivethedeepend.com >> Zend Framework Community Review Team >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: http://www.php.net/unsub.php >>