Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63090
Return-Path: <ajf@ajf.me>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 96792 invoked from network); 18 Sep 2012 18:03:56 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Sep 2012 18:03:56 -0000
Authentication-Results: pb1.pair.com header.from=ajf@ajf.me; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ajf@ajf.me; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ajf.me designates 64.22.89.133 as permitted sender)
X-PHP-List-Original-Sender: ajf@ajf.me
X-Host-Fingerprint: 64.22.89.133 oxmail.registrar-servers.com  
Received: from [64.22.89.133] ([64.22.89.133:50878] helo=oxmail.registrar-servers.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 01/39-07072-987B8505 for <internals@lists.php.net>; Tue, 18 Sep 2012 14:03:55 -0400
Received: from [192.168.0.200] (5ad4bfa1.bb.sky.com [90.212.191.161])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by oxmail.registrar-servers.com (Postfix) with ESMTPSA id 0E436758024;
	Tue, 18 Sep 2012 14:03:49 -0400 (EDT)
Message-ID: <5058B757.7070405@ajf.me>
Date: Tue, 18 Sep 2012 19:03:03 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120827 Thunderbird/15.0
MIME-Version: 1.0
To: Stas Malyshev <smalyshev@sugarcrm.com>
CC: Anthony Ferrara <ircmaxell@gmail.com>, =?ISO-8859-1?Q?P=E1draic_Bra?=
 =?ISO-8859-1?Q?dy?= <padraic.brady@gmail.com>, 
 "internals@lists.php.net" <internals@lists.php.net>
References: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com> <5058A697.30903@sugarcrm.com> <CAAyV7nF82MW1gRpVpiVooCNyj7YE-eVDqjzqFX0m3X1J7Kp_UA@mail.gmail.com> <5058A8B8.3070404@sugarcrm.com>	<5058A97A.4080900@ajf.me> <5058AABA.1040406@sugarcrm.com> <CAAyV7nHgJku5MqKY-D_Gk+DaSt-Wda3BJHsSzyS=yW6xENRi6w@mail.gmail.com> <5058B5A5.6090302@sugarcrm.com>
In-Reply-To: <5058B5A5.6090302@sugarcrm.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class
From: ajf@ajf.me (Andrew Faulds)

On 18/09/12 18:55, Stas Malyshev wrote:
> Again, you are taking very narrow definition of filterting, which is not
> justified by anything but your very narrow use case, and try to present
> it as if this is the only meaning filtering has (despite numerous
> examples of using of filters in more generic sense) and that because of
> this we need to duplicate APIs we already have, just because you can use
> them in different context. To me, it makes no sense - you can apply data
> filtering anywhere. If for your specific purpose of explaining how to
> make better security architecture you choose to define "filtering" and
> "escaping" as narrow distinct concepts, this is fine. This does not mean
> that we can not use existing filter extension - with already implemented
> methods doing exactly what is needed to be done - because they are to be
> used in context which you call "escaping".
No, Stas, you are not realising that "filter" has a different meaning 
depending which field it is used in. It has very different meanings in 
computer science and referring to the physical apparatus, compared to 
computer security.

Since stopping XSS is a computer security issue, we should discuss it as 
such.

-- 
Andrew Faulds
http://ajf.me/