Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63086 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 88855 invoked from network); 18 Sep 2012 17:46:12 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Sep 2012 17:46:12 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.170 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.223.170 mail-ie0-f170.google.com Received: from [209.85.223.170] ([209.85.223.170:41217] helo=mail-ie0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 50/97-07072-363B8505 for ; Tue, 18 Sep 2012 13:46:11 -0400 Received: by ieak14 with SMTP id k14so153104iea.29 for ; Tue, 18 Sep 2012 10:46:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=XV84HSlfLogn3lYo2waNajCKxDqFXgGc49/u2hEE1kQ=; b=OOd3RvioK6Y5Vd0/T/tZqevEqijP3t2y9cjJo3pMC1sRoBrJv0yJ5sQCWE/UBIj6z1 aIoH8Y9OiJ42s99CfZ+why8EChsMdXAj36SUNwjYpZAGYNvf5gIsaZWzXd4BCGsO6pdN jg08EWhFgHr4AZv9rXE13Rs3AMUWUXUwCUq+ipknCjzlrqruXCmla94whlbbrjeSGP6G gjuNmkkl2Mi6DW99udJ+8DR3eBzMFKd+To9Jovqoi2HaupoW9cMaCQCwBvyeV01nHqvf IAsnyQnogX9tTAZ/hqI3YMi5gYnA5lxLIZTb95oFG9qsniH3PxwaDavH0kXXJHr2YtYl MEDw== MIME-Version: 1.0 Received: by 10.50.41.129 with SMTP id f1mr579679igl.57.1347990367099; Tue, 18 Sep 2012 10:46:07 -0700 (PDT) Received: by 10.64.89.41 with HTTP; Tue, 18 Sep 2012 10:46:07 -0700 (PDT) In-Reply-To: References: Date: Tue, 18 Sep 2012 19:46:07 +0200 Message-ID: To: =?ISO-8859-1?Q?P=E1draic_Brady?= Cc: internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: pierre.php@gmail.com (Pierre Joye) hi P=E1draic! On Tue, Sep 18, 2012 at 1:30 PM, P=E1draic Brady = wrote: > Hi all, > > I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper. > The RFC is a proposal to implement a standardised means of escaping > data which is being output into XML/HTML. > > Cross-Site Scripting remains one of the most common vulnerabilities in > web applications and there is a continued lack of understanding > surrounding how to properly escape data. To try and offset this, I've > written articles, attempted to raise awareness and wrote the > Zend\Escaper class for Zend Framework. Symfony 2's Twig has since > adopted similar measures in line with its own focus on security. > > That's all. The RFC should be self-explanatory and feel free to pepper > me with questions. As the RFC notes, I'm obviously not a C programmer > so I'm reliant on finding a volunteer who's willing to take this one > under their wing (or into their basement - whichever works). > > https://wiki.php.net/rfc/escaper Like the idea while I have to sit on it a bit to see the possible pitfalls = :) However I am really not a fan of using a class as namespace. All these methods have nothing in common but what they do, they all treat different inputs, may have different options, etc. Functions could work just as fine for that, or if necessary (see my ajaxmin ext) create a class per input and add the necessary properties for the options. That could be much cleaner and forward compatible. Cheers, --=20 Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org