Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63088
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 92294 invoked from network); 18 Sep 2012 17:57:40 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Sep 2012 17:57:40 -0000
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.170 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.214.170 mail-ob0-f170.google.com  
Received: from [209.85.214.170] ([209.85.214.170:42492] helo=mail-ob0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 23/38-07072-316B8505 for <internals@lists.php.net>; Tue, 18 Sep 2012 13:57:39 -0400
Received: by obbwc18 with SMTP id wc18so164955obb.29
        for <internals@lists.php.net>; Tue, 18 Sep 2012 10:57:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=AHKRlrUDbGYICAvzQHJYFxjgnoVIppHA07uH5DG6pOg=;
        b=iZu3VALmN8vsJU57XbVkcDXQyA8/1dGED+xkBmOKj/DFjfW3TlzibuQh/6z2pYruSk
         KqSmUvvJKvc9eLUeOZfBVJ8dtozsA+TrvAGUEKxfPPzuneja0taKVwac7qPr71izEBe4
         zXr20339p61XKjj86DoZZtQ+M6ui0PR5pzuvIrNuFRWi74VMQSoRymQxvFFey/aqn7cp
         SzK0GHundBuudwZ9sj3y2Kyu1NXHWMtCsXXvhB5m6bW/OcMGYuMsopBUWENZTbhzT/oc
         4+nSobE5MvX1vYrj1nRDcYl9nL6yaY5zFP4VRU+uQ4i3PRa4OOFUDr25MSkpSLHhQIFe
         9f6A==
MIME-Version: 1.0
Received: by 10.60.1.135 with SMTP id 7mr1025975oem.40.1347991056786; Tue, 18
 Sep 2012 10:57:36 -0700 (PDT)
Received: by 10.76.7.84 with HTTP; Tue, 18 Sep 2012 10:57:36 -0700 (PDT)
In-Reply-To: <5058A7C4.9030903@sugarcrm.com>
References: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com>
	<alpine.DEB.2.02.1209180809010.28929@whisky.home.derickrethans.nl>
	<CALwr1GnjwyE=yipK6UNkOm9m31LDDbpbcdgmr_nf0cUo+zOedw@mail.gmail.com>
	<CALwr1G=DOKmjudFFEAFY+6hmUh3q+qNe1ntWY1FLXP5GChLZdA@mail.gmail.com>
	<5058A7C4.9030903@sugarcrm.com>
Date: Tue, 18 Sep 2012 18:57:36 +0100
Message-ID: <CALwr1Gm3aZq0cv52qmVpC7aXd+dJw9-f21P6wvn9ZPu4P4d1zA@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class
From: padraic.brady@gmail.com (=?ISO-8859-1?Q?P=E1draic_Brady?=)

Hi Stas,

On Tue, Sep 18, 2012 at 5:56 PM, Stas Malyshev <smalyshev@sugarcrm.com> wro=
te:
> Hi!
>
>> The point of the RFC is to ensure a consistent API for escaping is
>> available to all PHP programmers without resorting to userland
>
> I do not see why "without resorting to userland" is a worthy goal in
> every case. It's like saying "I want to code in Python without ever
> using import" or "I want to code in Perl without ever using CPAN". Makes
> no sense, right? Why we should insist on this in PHP?

Programmers haven't figured out how to use the 1-2 covering functions
that already exist and you expect them to do it in userland code?
Maybe we should ditch json_encode() tomorrow. I can do it in userland
code too. PHP does a LOT of things possible in userland code. The
argument I made in the RFC boils down to simply giving programmers a
helping hand. They are writing insecure code because PHP isn't
fulfilling that need for one of the most serious security risks in PHP
today. Surely that warrants action to serve programmers?

>> solutions. Existing functions are widely misused, misconfigured or
>> have builtin security issues yet are popularly advanced as "escaping"
>> for XSS.
>
> Do you think your functions won't be misused, misconfigured and never
> would have bugs? Exactly the same would happen. Having yet another API
> doing the same as old API is not a solution.

They have one configuration value. All other behaviour is fixed. How
is this remotely similar to the "old API"? Misuse can be constrained
to calling the wrong function and setting the wrong character
encoding. That's 2 versus the list of flaws in htmlspecialchars() I
blogged about (the link is in the RFC) and whatever might
theoretically exist if PHP actually had Javascript and CSS options.

> --
> Stanislav Malyshev, Software Architect
> SugarCRM: http://www.sugarcrm.com/
> (408)454-6900 ext. 227



--=20
P=E1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team