Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63070 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 58304 invoked from network); 18 Sep 2012 16:56:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Sep 2012 16:56:08 -0000 Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.170 as permitted sender) X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.217.170 mail-lb0-f170.google.com Received: from [209.85.217.170] ([209.85.217.170:62008] helo=mail-lb0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BC/A0-07072-6A7A8505 for ; Tue, 18 Sep 2012 12:56:08 -0400 Received: by lbbgp3 with SMTP id gp3so168648lbb.29 for ; Tue, 18 Sep 2012 09:56:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=d5whkUdSejguR1C1sor2x0P2vUraGi47JcOvnzqgfI8=; b=LN4zinrxJKnHxveLq5KT0gk1eyGGfMm8HGaGphrBkfNc1ZjcpQEMMzV8OaBPI6clwn bQGU//lwDdFmFL7irmeHMLK8RZoZu/OAUZTRoOLZeUjbkB33hK8vLR2jzMadc58vephu sTDStvLYOZM7bCx7qfHMVx28MA5ZitkDjKpT9eYV6Q3cL6Y/Hl/zUVbyogrw67DkJfx8 mv62JfB4g1LZXzj040Hwk8E+oDt5H0irPYEshxocBiaHSlYDfL8F1LcTjynQpBG1GaW2 FRrZJ+Ua0zxl3q2A9X/B/rmv0szSIP5G9wgNuOhTVu4cWNFAQCxQ0jUMlBKO2PirGjh7 VZJQ== MIME-Version: 1.0 Received: by 10.112.82.6 with SMTP id e6mr128385lby.93.1347987363806; Tue, 18 Sep 2012 09:56:03 -0700 (PDT) Received: by 10.114.22.1 with HTTP; Tue, 18 Sep 2012 09:56:03 -0700 (PDT) In-Reply-To: <5058A697.30903@sugarcrm.com> References: <5058A697.30903@sugarcrm.com> Date: Tue, 18 Sep 2012 12:56:03 -0400 Message-ID: To: Stas Malyshev Cc: =?ISO-8859-1?Q?P=E1draic_Brady?= , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=f46d0401f929fb3d4704c9fcc346 Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: ircmaxell@gmail.com (Anthony Ferrara) --f46d0401f929fb3d4704c9fcc346 Content-Type: text/plain; charset=ISO-8859-1 Stas, On Tue, Sep 18, 2012 at 12:51 PM, Stas Malyshev wrote: > Hi! > > > I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper. > > The RFC is a proposal to implement a standardised means of escaping > > data which is being output into XML/HTML. > > We already have filter extension. Is it really necessary to invent yet > another way of filtering data? > Filtering is very different from escaping. They each handle similar but unique problems: http://stackoverflow.com/questions/4218136/is-filter-input-escape-output-still-valid-with-pdo/4218219#4218219 > Also, a problem with putting code of this complexity in core would be > that if it every had a defect - e.g. we forgot to account for some weird > browser quirk that does not follow RFCs, or some strange encoding > combination, or just a plain bug - it would be very hard for the users > to mitigate without upgrading PHP - which is not always under their > control. When using PHP code, they could just d/l new ZF class, but with > core implementation it'd be much harder. > > So far I am not convinced we should really do it. But if somebody > creates PECL extension and it proves popular, it may be merged into core > once it does. > -- > Stanislav Malyshev, Software Architect > SugarCRM: http://www.sugarcrm.com/ > (408)454-6900 ext. 227 > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --f46d0401f929fb3d4704c9fcc346--