Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63052
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 97788 invoked from network); 18 Sep 2012 11:39:47 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Sep 2012 11:39:47 -0000
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.170 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 74.125.82.170 mail-we0-f170.google.com  
Received: from [74.125.82.170] ([74.125.82.170:50821] helo=mail-we0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 13/B4-07072-28D58505 for <internals@lists.php.net>; Tue, 18 Sep 2012 07:39:47 -0400
Received: by weyr1 with SMTP id r1so4867966wey.29
        for <internals@lists.php.net>; Tue, 18 Sep 2012 04:39:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=vGuWoyZn0DhKmpN53uRfH13v3NZyyhe0MhfS0Oh1NoA=;
        b=ZY7nNfPpKwRPi5xJzpyqcuEyXjcIkzJg0SkNa+f3rg9dxcoN9UWKfUIwbnFigNqlvy
         coq+V2ohbFJynEwFWVslDQw24V5wtFBMsxCQ6zdSlIQyQiPoG7DorTTjXmZkMlJHomIH
         PmanPX/rl/pP8RxYTvWQleuEtdYM2NlJajdQB3H1+WSLV2lZLkBm+dtcDKPAjphTWM10
         9hezXZfYpZgq7s1MHdh0Qnzzzainsw46Lb96OBtjaBwATOA4fCW71xgp17r3uPuFTdVp
         eRmxbqJAmABb2dvZIrvOu4FlG2+1RySl9ncBCB545mto0k0l2l7E/eQDaOMkCahnuPge
         99Iw==
MIME-Version: 1.0
Received: by 10.216.29.17 with SMTP id h17mr7648460wea.221.1347968382529; Tue,
 18 Sep 2012 04:39:42 -0700 (PDT)
Received: by 10.194.44.5 with HTTP; Tue, 18 Sep 2012 04:39:42 -0700 (PDT)
In-Reply-To: <CAKxcST9tvBLGsg9iKzGk6u26p0SJqgPJ73RLXkE3GK8d7RnNMA@mail.gmail.com>
References: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com>
	<CAKxcST9tvBLGsg9iKzGk6u26p0SJqgPJ73RLXkE3GK8d7RnNMA@mail.gmail.com>
Date: Tue, 18 Sep 2012 07:39:42 -0400
Message-ID: <CAAyV7nG9Ohj++eXew2vmT5B_B2L-gGUEVF+gHNvyJqW1NaBFNA@mail.gmail.com>
To: Paul Dragoonis <dragoonis@gmail.com>
Cc: =?ISO-8859-1?Q?P=E1draic_Brady?= <padraic.brady@gmail.com>, 
	internals@lists.php.net
Content-Type: multipart/alternative; boundary=0016e6dbe2a09bef2d04c9f85882
Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class
From: ircmaxell@gmail.com (Anthony Ferrara)

--0016e6dbe2a09bef2d04c9f85882
Content-Type: text/plain; charset=ISO-8859-1

Paul

On Tue, Sep 18, 2012 at 7:32 AM, Paul Dragoonis <dragoonis@gmail.com> wrote:

> Hi Paddy,
>
> Couldn't this just be a new option for the filter_var() function?
>
> $clean = filter_var($_POST['someVar'], XSS_CLEAN);
>
> - Paul.


Not without losing significant semantic meaning. There's a huge difference
between filtering and escaping. Remember, Filter In, Escape Out.

If you really wanted something like that, then perhaps add a escape_var
extension. But I think the proposed API is better as it's more explicit.

Anthony

--0016e6dbe2a09bef2d04c9f85882--