Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63083 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 84461 invoked from network); 18 Sep 2012 17:33:39 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Sep 2012 17:33:39 -0000 Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender) X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.215.42 mail-lpp01m010-f42.google.com Received: from [209.85.215.42] ([209.85.215.42:46455] helo=mail-lpp01m010-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DD/96-07072-170B8505 for ; Tue, 18 Sep 2012 13:33:38 -0400 Received: by lahl5 with SMTP id l5so73131lah.29 for ; Tue, 18 Sep 2012 10:33:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=hTEni/D72l1rkRSJPXBT3aBZkFHd+geUyZT7JqJhC4w=; b=KEdHctMEBjkyyQ4znquJm78YGdlbWIJ43udIC7DpLMIa6gw6WfII0CawiucMq9SM/V q3Ia7cMRivpEQrJ13TVLAKJf6ZW7z3bIjDNbmldlCjrR8VPDNI7Beq9c3xScWFyfGt9N vDe6LCgBkyRRcs9mQ+GU7Q/IFMrkCAD/98T/UpD/QHYPWpDp78MImylYhWCxrY48OuHq nQaiF9q2CxJX0FgkmaDoFm4/RKNfAaa+pq33ofMu2gdnUoVsujcd6BySRiqdJowD4+Ap qMoJ53QQEx96XcZ+8d9d9uRpnwnvN5psM8TVERSgLnpiqsu2D4in58JlfL4Ijhb1MT9y 4rMQ== MIME-Version: 1.0 Received: by 10.152.48.70 with SMTP id j6mr372496lan.57.1347989614606; Tue, 18 Sep 2012 10:33:34 -0700 (PDT) Received: by 10.114.22.1 with HTTP; Tue, 18 Sep 2012 10:33:34 -0700 (PDT) In-Reply-To: References: Date: Tue, 18 Sep 2012 13:33:34 -0400 Message-ID: To: jpauli Cc: =?ISO-8859-1?Q?P=E1draic_Brady?= , internals@lists.php.net Content-Type: multipart/alternative; boundary=bcaec55242a023b76b04c9fd4a8c Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: ircmaxell@gmail.com (Anthony Ferrara) --bcaec55242a023b76b04c9fd4a8c Content-Type: text/plain; charset=ISO-8859-1 Julien, Implementing this to Core may be very nice, but as well very hard to do. > String escaping is a pain to implement in C. One would tell : once > it's done, it's OK, but unfortunately, that's not the case, as XSS > rules evolve throught time as the attacks evolve. > > See the escape modules web servers tried to push (mod_security and its > counterpart in Nginx), its PITA to maintain if you want something that > covers a large area. > By the way : why not let the web server do this as nowadays, they seem > to manage that problem ? > As Padraic indicated, this is solving a different problem than the web server even can. This has to be solved at the application layer (it physically can't be sovled above it)... As far as implementation pains, if I was to support this, I would want to see something like the ESAPI (Enterprise Security API - by OWASP) used for the actual implementation: http://code.google.com/p/owasp-esapi-c/ Perhaps providing a thin wrapper around it, but I wouldn't go much further than that. And I don't think I'd support our own implementation (not using an established C library)... Anthony --bcaec55242a023b76b04c9fd4a8c--