Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63082
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82568 invoked from network); 18 Sep 2012 17:32:21 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Sep 2012 17:32:21 -0000
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.170 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.214.170 mail-ob0-f170.google.com  
Received: from [209.85.214.170] ([209.85.214.170:57234] helo=mail-ob0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 24/26-07072-420B8505 for <internals@lists.php.net>; Tue, 18 Sep 2012 13:32:21 -0400
Received: by obbwc18 with SMTP id wc18so130586obb.29
        for <internals@lists.php.net>; Tue, 18 Sep 2012 10:32:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=8tNflSDDzLHHYddxDHMxoMF92IA12Ay9rjLnsJMe6Ak=;
        b=sLiK3eNNphY43ggPdkuFVhT+Z6kLscjDH03BJEaWFBGwxU460TXcd140E0Yrc3ZGIU
         tQwMxUL97QCMKhRb4mcoCnkOh8scuYoRbnPKzSvCeFpNVBTuj8K1PkAvyJ/NkIKyh/Fw
         DNhSYEUN5LplU5D6NErK7m9748LfglKQ5kXkgeVY2180E65dM1rz/f8leT0twvse1iCn
         Ma/DNFp4WFKmhGxK2SUVyGUHS4ps3bXbw/+Ui/9sTKHI2EzI8y00zQ5wd/xh3K9pz93J
         /yP5OzOf/2mITQSYY/wWvQ2u2ff553LF3GceJAMqLPZqfSCBs+A/001FbnYPwZbRr4Uv
         vA3A==
MIME-Version: 1.0
Received: by 10.182.139.2 with SMTP id qu2mr923073obb.35.1347989537543; Tue,
 18 Sep 2012 10:32:17 -0700 (PDT)
Received: by 10.76.7.84 with HTTP; Tue, 18 Sep 2012 10:32:17 -0700 (PDT)
In-Reply-To: <0AC6EB13-3588-403B-BE73-968F12C7B7AF@gmail.com>
References: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com>
	<alpine.DEB.2.02.1209180809010.28929@whisky.home.derickrethans.nl>
	<CALwr1GnjwyE=yipK6UNkOm9m31LDDbpbcdgmr_nf0cUo+zOedw@mail.gmail.com>
	<CALwr1G=DOKmjudFFEAFY+6hmUh3q+qNe1ntWY1FLXP5GChLZdA@mail.gmail.com>
	<CAMUwpuSfd1U6aA_7o6d2jGm-i0PsLAf1MqKF8zvtcfzGFMGEXQ@mail.gmail.com>
	<0AC6EB13-3588-403B-BE73-968F12C7B7AF@gmail.com>
Date: Tue, 18 Sep 2012 18:32:17 +0100
Message-ID: <CALwr1G=0L-u7vu4gUrfO51DP50anfUbkPS+mHePzen6Aih4e7g@mail.gmail.com>
To: Michael Shadle <mike503@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class
From: padraic.brady@gmail.com (=?ISO-8859-1?Q?P=E1draic_Brady?=)

Hi Michael,

See the link near the bottom of the RFC - even htmlspecialchars() has
unusual behaviour that's potentially insecure. I have no objections to
there being functions, of course, and the RFC makes that clear.
However, many programmers like me are obsessed are objects so having
an SPL class will obviously be near and dear to my design patterned
heart ;).

Paddy

On Tue, Sep 18, 2012 at 5:39 PM, Michael Shadle <mike503@gmail.com> wrote:
> Also as there is also htmlspecialchars() which most people use for escapi=
ng this seems like a better, more centralized functionality and better nome=
nclature for escaping on output in general with options for various types (=
and should just be utf-8 by default :))
>



--=20
P=E1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team