Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63066 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 49414 invoked from network); 18 Sep 2012 16:31:59 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Sep 2012 16:31:59 -0000 Authentication-Results: pb1.pair.com smtp.mail=julienpauli@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=julienpauli@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.219.42 as permitted sender) X-PHP-List-Original-Sender: julienpauli@gmail.com X-Host-Fingerprint: 209.85.219.42 mail-oa0-f42.google.com Received: from [209.85.219.42] ([209.85.219.42:59117] helo=mail-oa0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 76/DE-07072-DF1A8505 for ; Tue, 18 Sep 2012 12:31:58 -0400 Received: by oagh2 with SMTP id h2so45731oag.29 for ; Tue, 18 Sep 2012 09:31:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=YjVtRssML1x/NjrfI9nvF93yp8sJm/UF5lm517W1HFM=; b=FUN63a9+eVOxHJTB8iuPSwKlg80+3QRyJUU8sOQ9WeRWHFCluxaaxOGyyEcf8WgoiH JVhCUxmX9j90Tyxb3VsNl7rS0duuoMkf6AaNfFKl5kpvIYEV37endn7ChsNz8N6TdfrG 138fACS4G0M7/TrZm0Dk6ktDGa4UcSz4F6d8AET0/9B/R2QtjQ3BkCLpDI34uYhQVVBi Vo+WRTSgKtJXuoLRHlLFFL/awFNJY3wEFDKnWqhvcMY9Sbj4TRwMFh2Kk7WKd4eOH4Lj XEsTCEPSBaqTqwsv1kQNFyKhRhsidv0TBPTD9Ox1XQxZIcVZai+SuOPkS3Abrwxw+JPa 0flw== Received: by 10.60.22.162 with SMTP id e2mr697386oef.35.1347985913645; Tue, 18 Sep 2012 09:31:53 -0700 (PDT) MIME-Version: 1.0 Sender: julienpauli@gmail.com Received: by 10.76.75.105 with HTTP; Tue, 18 Sep 2012 09:31:13 -0700 (PDT) In-Reply-To: References: Date: Tue, 18 Sep 2012 18:31:13 +0200 X-Google-Sender-Auth: xHR02fPmjKAIWCrPVGytn13BaVo Message-ID: To: =?ISO-8859-1?Q?P=E1draic_Brady?= Cc: internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: jpauli@php.net (jpauli) On Tue, Sep 18, 2012 at 2:27 PM, P=E1draic Brady = wrote: > Hi Derick, > > This is already available over composer. The RFC contains links to the > two frameworks which have implemented Escapers in line with the RFC. > > The point of the RFC is to ensure a consistent API for escaping is > available to all PHP programmers without resorting to userland > solutions. Existing functions are widely misused, misconfigured or > have builtin security issues yet are popularly advanced as "escaping" > for XSS. > > XSS is also...XSS. It's either the first or second most common > vulnerability in web applications (depending on whose data you use). I > think it warrants PHP distributing a proper solution out of the box. > > Paddy > > On Tue, Sep 18, 2012 at 1:11 PM, Derick Rethans wrote: >> On Tue, 18 Sep 2012, P=E1draic Brady wrote: >> >>> I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper. >>> The RFC is a proposal to implement a standardised means of escaping >>> data which is being output into XML/HTML. >>> >>> Cross-Site Scripting remains one of the most common vulnerabilities in >>> web applications and there is a continued lack of understanding >>> surrounding how to properly escape data. To try and offset this, I've >>> written articles, attempted to raise awareness and wrote the >>> Zend\Escaper class for Zend Framework. Symfony 2's Twig has since >>> adopted similar measures in line with its own focus on security. >>> >>> That's all. The RFC should be self-explanatory and feel free to pepper >>> me with questions. As the RFC notes, I'm obviously not a C programmer >>> so I'm reliant on finding a volunteer who's willing to take this one >>> under their wing (or into their basement - whichever works). >>> >>> https://wiki.php.net/rfc/escaper >> >> I understand that this is really beneficial to have, but, I wonder, why >> can't this be a composer-installable class, implemented in PHP? It >> solves the issue that you need to find a volunteer, as well as that >> updating it is a lot easier, and, you don't have to rely on shared >> hosters having it enabled. >> >> I realize that you want to have this >> generally available, but for that we have ext/filter - which is not >> really used too much I *think*. Why would this be different? IMO, we >> should make a composer installable package for this, and then litter all >> our escaping related document pages with links to this new package. >> >> cheers, >> Derick >> >> -- >> http://derickrethans.nl | http://xdebug.org >> Like Xdebug? Consider a donation: http://xdebug.org/donate.php >> twitter: @derickr and @xdebug >> Posted with an email client that doesn't mangle email: alpine > > > > -- > P=E1draic Brady > > http://blog.astrumfutura.com > http://www.survivethedeepend.com > Zend Framework Community Review Team > > > -- > P=E1draic Brady > > http://blog.astrumfutura.com > http://www.survivethedeepend.com > Zend Framework Community Review Team > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > Implementing this to Core may be very nice, but as well very hard to do. String escaping is a pain to implement in C. One would tell : once it's done, it's OK, but unfortunately, that's not the case, as XSS rules evolve throught time as the attacks evolve. See the escape modules web servers tried to push (mod_security and its counterpart in Nginx), its PITA to maintain if you want something that covers a large area. By the way : why not let the web server do this as nowadays, they seem to manage that problem ? Julien.P