Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63053 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 99777 invoked from network); 18 Sep 2012 12:00:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Sep 2012 12:00:16 -0000 Authentication-Results: pb1.pair.com header.from=dragoonis@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=dragoonis@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.219.42 as permitted sender) X-PHP-List-Original-Sender: dragoonis@gmail.com X-Host-Fingerprint: 209.85.219.42 mail-oa0-f42.google.com Received: from [209.85.219.42] ([209.85.219.42:56126] helo=mail-oa0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 0A/05-07072-E4268505 for ; Tue, 18 Sep 2012 08:00:14 -0400 Received: by oagh2 with SMTP id h2so6428895oag.29 for ; Tue, 18 Sep 2012 05:00:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=0WCcVm7K2WgS76m6QEK3g2e0uvTnfoRjqCYkqzTI85w=; b=H1Or/ErAXGg/fBKBvFWuvsZFizFU8ON7KcAzteq5PwQVazrZXmgqZc3PrNlJ6REylQ h3abcqxLWOvg7lWNZp+62Yr/8w1p82GXauCwaCvl25EFkeo3aUDnHJdzMVHyejicdfse G/GswFccilPslnZ5cPRTnujlVIl+oyloW3SR9vMhfimwbeLNOxAMNd7I4Hnj3vTjzdZ/ 8Jn23p3go5E0cBsLqTweqiPY7TDwsL/g/hvY8ioiuD/cP19JYHVwSOKTcQAguvMMb6d1 CprJuzK5Lpt+k8j4aFuEg52l+gFxPazozCBCvwUFm7gRO/bUh2QGlczSxpp9+TwQXAz3 XxUg== MIME-Version: 1.0 Received: by 10.182.216.99 with SMTP id op3mr14456073obc.85.1347969611032; Tue, 18 Sep 2012 05:00:11 -0700 (PDT) Received: by 10.60.18.164 with HTTP; Tue, 18 Sep 2012 05:00:10 -0700 (PDT) In-Reply-To: References: Date: Tue, 18 Sep 2012 13:00:10 +0100 Message-ID: To: =?ISO-8859-1?Q?P=E1draic_Brady?= Cc: PHP Internals List Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: dragoonis@gmail.com (Paul Dragoonis) Yep, I see where my suggestion for filter_var() isn't relevant. I use symfony2's ecaper in the PPI\Templating\ component, and really like i= t. Zend2's also seems pretty good. It'd be nice to have this available as a ./ext/spl/ class or an independent extension (really needed for 1 class?). Cheers, Paul. On Tue, Sep 18, 2012 at 12:55 PM, P=E1draic Brady = wrote: > Hi Paul, > > The thing is that filter_var() is strongly associated with input > sanitisation whereas Escaper addresses the other end of output. Also, > escaping is inextricably linked to character encoding - we can't run > into situations where the functions are specific to something like > UTF-8 when the character encodings used in real life are far more > diverse. Additionally, the RFC was an attempt to make escaping as > explicit and restrictive as possible - give a user too many options, > or too many dispersed units of functionality, and they'll invariably > confuse and misinterpret themselves to Hell ;). > > Note: There is a stack of folk, for example, who use the ext/filter > URL validator for HTTP validation - it also passes php:// and > javascript:// URLs. If we're not explicit, they won't ever notice when > they're doing it wrong. > > Paddy > > On Tue, Sep 18, 2012 at 12:34 PM, Paul Dragoonis wr= ote: >> On Tue, Sep 18, 2012 at 12:32 PM, Paul Dragoonis w= rote: >>> Hi Paddy, >>> >>> Couldn't this just be a new option for the filter_var() function? >>> >>> $clean =3D filter_var($_POST['someVar'], XSS_CLEAN); >> >> I see from your RFC that you have a bunch of functions, I believe all >> these could be options to filter_var, ie.: FILTER_ESCAPE_[URL, JS, >> CSS, HTMLATTR]. >> >> - Paul. >> >>> >>> - Paul. >>> >>> On Tue, Sep 18, 2012 at 12:30 PM, P=E1draic Brady wrote: >>>> Hi all, >>>> >>>> I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper. >>>> The RFC is a proposal to implement a standardised means of escaping >>>> data which is being output into XML/HTML. >>>> >>>> Cross-Site Scripting remains one of the most common vulnerabilities in >>>> web applications and there is a continued lack of understanding >>>> surrounding how to properly escape data. To try and offset this, I've >>>> written articles, attempted to raise awareness and wrote the >>>> Zend\Escaper class for Zend Framework. Symfony 2's Twig has since >>>> adopted similar measures in line with its own focus on security. >>>> >>>> That's all. The RFC should be self-explanatory and feel free to pepper >>>> me with questions. As the RFC notes, I'm obviously not a C programmer >>>> so I'm reliant on finding a volunteer who's willing to take this one >>>> under their wing (or into their basement - whichever works). >>>> >>>> https://wiki.php.net/rfc/escaper >>>> >>>> Best regards, >>>> Paddy >>>> >>>> -- >>>> P=E1draic Brady >>>> >>>> http://blog.astrumfutura.com >>>> http://www.survivethedeepend.com >>>> Zend Framework Community Review Team >>>> >>>> -- >>>> PHP Internals - PHP Runtime Development Mailing List >>>> To unsubscribe, visit: http://www.php.net/unsub.php >>>> > > > > -- > P=E1draic Brady > > http://blog.astrumfutura.com > http://www.survivethedeepend.com > Zend Framework Community Review Team