Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63085
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 87340 invoked from network); 18 Sep 2012 17:40:32 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Sep 2012 17:40:32 -0000
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.170 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.214.170 mail-ob0-f170.google.com  
Received: from [209.85.214.170] ([209.85.214.170:61872] helo=mail-ob0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0F/37-07072-F02B8505 for <internals@lists.php.net>; Tue, 18 Sep 2012 13:40:32 -0400
Received: by obbwc18 with SMTP id wc18so142197obb.29
        for <internals@lists.php.net>; Tue, 18 Sep 2012 10:40:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=VPlRIc3npXJcRjyFlIRvNgpTq1V4oTXH75T/HrQx2tM=;
        b=yG1201Salgo2+RKfwuSl94sHTpFwiFPR2n0k2eI9/yNZDZVmasiNtCqcXTtAgao8mr
         JCzs6f7tyS3tyLrU+zslWKPaDYH5eNtXYOftIAoUufxQHAhjS0dapB83pZX1GF/g2liR
         YjRtQQ6MFfrYQECB6y5lhYg+T9Ox3CkQitH9WiO9fZZEj+ahRX04pI/Qr1K6r58bMtBc
         p0w7WUOu8dt4vSvFGh7P0Jnt5yoWW8NZM7GYXwAKAQvrRPJszodcdBo7gOAu9PLSe4yZ
         A84Nok2eT0BnHL//amgXUn8FLWaXXJThbVhjKjB8pFmXzdTpLp597MyOIg1NwY7ry5j1
         eeaQ==
MIME-Version: 1.0
Received: by 10.60.171.68 with SMTP id as4mr847875oec.117.1347990028506; Tue,
 18 Sep 2012 10:40:28 -0700 (PDT)
Received: by 10.76.7.84 with HTTP; Tue, 18 Sep 2012 10:40:28 -0700 (PDT)
In-Reply-To: <5058A697.30903@sugarcrm.com>
References: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com>
	<5058A697.30903@sugarcrm.com>
Date: Tue, 18 Sep 2012 18:40:28 +0100
Message-ID: <CALwr1GkM6ccsR0XJ9V4dzf8cPf3Ak-epfmEC1d0jKMbwSn0S9Q@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class
From: padraic.brady@gmail.com (=?ISO-8859-1?Q?P=E1draic_Brady?=)

Hi Stas,

This is not an input filter and PHP already suffers the same
outrageous disadvantages by offering htmlspecialchars(),
rawurlencode(), etc. The rules for escaping are well established and
DO NOT change overnight. Those for Javascript and CSS are in their
respective standards. Those for HTML/XML have been known since the 90s
and still haven't changed. PHP seems quite happy about offering
encoding mechanisms if anything - where did json_encode() spring from?

Browser defects are not PHP's problem.

Folk seem to be missing the point that this is output oriented to a
well understood set of rules.

Paddy



On Tue, Sep 18, 2012 at 5:51 PM, Stas Malyshev <smalyshev@sugarcrm.com> wro=
te:
> Hi!
>
>> I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper.
>> The RFC is a proposal to implement a standardised means of escaping
>> data which is being output into XML/HTML.
>
> We already have filter extension. Is it really necessary to invent yet
> another way of filtering data?
>
> Also, a problem with putting code of this complexity in core would be
> that if it every had a defect - e.g. we forgot to account for some weird
> browser quirk that does not follow RFCs, or some strange encoding
> combination, or just a plain bug - it would be very hard for the users
> to mitigate without upgrading PHP - which is not always under their
> control. When using PHP code, they could just d/l new ZF class, but with
> core implementation it'd be much harder.
>
> So far I am not convinced we should really do it. But if somebody
> creates PECL extension and it proves popular, it may be merged into core
> once it does.
> --
> Stanislav Malyshev, Software Architect
> SugarCRM: http://www.sugarcrm.com/
> (408)454-6900 ext. 227



--=20
P=E1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team