Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63054
Return-Path: <derick@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 1630 invoked from network); 18 Sep 2012 12:11:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Sep 2012 12:11:44 -0000
Authentication-Results: pb1.pair.com header.from=derick@php.net; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=derick@php.net; spf=unknown; sender-id=unknown
Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 82.113.146.227 as permitted sender)
X-PHP-List-Original-Sender: derick@php.net
X-Host-Fingerprint: 82.113.146.227 xdebug.org Linux 2.6
Received: from [82.113.146.227] ([82.113.146.227:43215] helo=xdebug.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A0/65-07072-CF468505 for <internals@lists.php.net>; Tue, 18 Sep 2012 08:11:44 -0400
Received: from localhost (localhost [IPv6:::1])
	by xdebug.org (Postfix) with ESMTPS id C7A9FDE147;
	Tue, 18 Sep 2012 13:11:35 +0100 (BST)
Date: Tue, 18 Sep 2012 08:11:32 -0400 (EDT)
X-X-Sender: derick@whisky.home.derickrethans.nl
To: =?UTF-8?Q?P=C3=A1draic_Brady?= <padraic.brady@gmail.com>
cc: internals@lists.php.net
In-Reply-To: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com>
Message-ID: <alpine.DEB.2.02.1209180809010.28929@whisky.home.derickrethans.nl>
References: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com>
User-Agent: Alpine 2.02 (DEB 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323329-1971360438-1347970297=:28929"
Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class
From: derick@php.net (Derick Rethans)

--8323329-1971360438-1347970297=:28929
Content-Type: TEXT/PLAIN; charset=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE

On Tue, 18 Sep 2012, P=C3=A1draic Brady wrote:

> I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper.=20
> The RFC is a proposal to implement a standardised means of escaping=20
> data which is being output into XML/HTML.
>=20
> Cross-Site Scripting remains one of the most common vulnerabilities in
> web applications and there is a continued lack of understanding
> surrounding how to properly escape data. To try and offset this, I've
> written articles, attempted to raise awareness and wrote the
> Zend\Escaper class for Zend Framework. Symfony 2's Twig has since
> adopted similar measures in line with its own focus on security.
>=20
> That's all. The RFC should be self-explanatory and feel free to pepper
> me with questions. As the RFC notes, I'm obviously not a C programmer
> so I'm reliant on finding a volunteer who's willing to take this one
> under their wing (or into their basement - whichever works).
>=20
> https://wiki.php.net/rfc/escaper

I understand that this is really beneficial to have, but, I wonder, why=20
can't this be a composer-installable class, implemented in PHP? It=20
solves the issue that you need to find a volunteer, as well as that=20
updating it is a lot easier, and, you don't have to rely on shared=20
hosters having it enabled.

I realize that you want to have this=20
generally available, but for that we have ext/filter - which is not=20
really used too much I *think*. Why would this be different? IMO, we=20
should make a composer installable package for this, and then litter all=20
our escaping related document pages with links to this new package.

cheers,
Derick

--=20
http://derickrethans.nl | http://xdebug.org
Like Xdebug? Consider a donation: http://xdebug.org/donate.php
twitter: @derickr and @xdebug
Posted with an email client that doesn't mangle email: alpine
--8323329-1971360438-1347970297=:28929--