Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63093
Return-Path: <steve@mrclay.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 4313 invoked from network); 18 Sep 2012 18:15:36 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Sep 2012 18:15:36 -0000
Authentication-Results: pb1.pair.com header.from=steve@mrclay.org; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=steve@mrclay.org; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain mrclay.org from 50.22.11.19 cause and error)
X-PHP-List-Original-Sender: steve@mrclay.org
X-Host-Fingerprint: 50.22.11.19 bedford.accountservergroup.com Linux 2.6
Received: from [50.22.11.19] ([50.22.11.19:59987] helo=bedford.accountservergroup.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 20/EA-07072-74AB8505 for <internals@lists.php.net>; Tue, 18 Sep 2012 14:15:35 -0400
Received: from n128-227-201-200.xlate.ufl.edu ([128.227.201.200] helo=Distance-Ed-Sclay.local)
	by bedford.accountservergroup.com with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.69)
	(envelope-from <steve@mrclay.org>)
	id 1TE2Ka-000Gzu-6T
	for internals@lists.php.net; Tue, 18 Sep 2012 13:15:32 -0500
Message-ID: <5058BA43.8010806@mrclay.org>
Date: Tue, 18 Sep 2012 14:15:31 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: PHP Internals <internals@lists.php.net>
References: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com> <5058A697.30903@sugarcrm.com> <CAAyV7nF82MW1gRpVpiVooCNyj7YE-eVDqjzqFX0m3X1J7Kp_UA@mail.gmail.com> <5058A8B8.3070404@sugarcrm.com>	<5058A97A.4080900@ajf.me> <5058AABA.1040406@sugarcrm.com> <CAAyV7nHgJku5MqKY-D_Gk+DaSt-Wda3BJHsSzyS=yW6xENRi6w@mail.gmail.com> <5058B5A5.6090302@sugarcrm.com>
In-Reply-To: <5058B5A5.6090302@sugarcrm.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - bedford.accountservergroup.com
X-AntiAbuse: Original Domain - lists.php.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - mrclay.org
X-Source: 
X-Source-Args: 
X-Source-Dir: 
Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class
From: steve@mrclay.org (Steve Clay)

On 9/18/12 1:55 PM, Stas Malyshev wrote:
> Again, nowhere it is said that you can not apply different filters to
> different data or different context. Again, you narrow down definition
> of filtering, to which I see no purpose unless you seek to arrive at
> pre-determined conclusion that we need to duplicate APIs because it's
> called "filter".

I agree that filtering can mean general processing of data, but if we embrace this 
definition in the filter extension, why not deprecate *all* string functions and replace 
them with FILTER_SANITIZE_* constants? I'd argue because naming matters, and *option* 
constants should not be used to wildly change behavior.

Filter has already gone down this road--I doubt the value added by having a second, much 
more verbose way to call htmlspecialchars()--but I don't see why we must continue down 
that path.

Steve
-- 
http://www.mrclay.org/