Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63097
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 12433 invoked from network); 18 Sep 2012 18:29:04 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Sep 2012 18:29:04 -0000
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 213.123.26.187 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 213.123.26.187 c2beaomr09.btconnect.com  
Received: from [213.123.26.187] ([213.123.26.187:26316] helo=mail.btconnect.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 96/BC-07072-F6DB8505 for <internals@lists.php.net>; Tue, 18 Sep 2012 14:29:04 -0400
Received: from host81-138-11-136.in-addr.btopenworld.com (EHLO _10.0.0.5_) ([81.138.11.136])
	by c2beaomr09.btconnect.com
	with ESMTP id JBJ96761;
	Tue, 18 Sep 2012 19:29:00 +0100 (BST)
Message-ID: <5058BD6B.9060909@lsces.co.uk>
Date: Tue, 18 Sep 2012 19:28:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120604 Firefox/13.0 SeaMonkey/2.10
MIME-Version: 1.0
To: PHP internals <internals@lists.php.net>
References: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com> <5058A697.30903@sugarcrm.com> <CAAyV7nF82MW1gRpVpiVooCNyj7YE-eVDqjzqFX0m3X1J7Kp_UA@mail.gmail.com> <5058A8B8.3070404@sugarcrm.com> <5058A97A.4080900@ajf.me> <5058AABA.1040406@sugarcrm.com> <CAAyV7nHgJku5MqKY-D_Gk+DaSt-Wda3BJHsSzyS=yW6xENRi6w@mail.gmail.com> <5058AC72.4050906@ajf.me>
In-Reply-To: <5058AC72.4050906@ajf.me>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mirapoint-IP-Reputation: reputation=Fair-1,
	source=Queried,
	refid=tid=0001.0A0B0303.5058BD6B.00A0,
	actions=tag
X-Junkmail-Premium-Raw: score=7/50,
	refid=2.7.2:2012.9.18.180317:17:7.944,
	ip=81.138.11.136,
	rules=__MOZILLA_MSGID,
		__HAS_MSGID,
		__SANE_MSGID,
		__HAS_FROM,
		__USER_AGENT,
		__MIME_VERSION,
		__TO_MALFORMED_2,
		__BOUNCE_CHALLENGE_SUBJ,
		__BOUNCE_NDR_SUBJ_EXEMPT,
		__SUBJ_ALPHA_END,
		__CT,
		__CT_TEXT_PLAIN,
		__CTE,
		__ANY_URI,
		__URI_NO_MAILTO,
		__URI_NO_WWW,
		__CP_URI_IN_BODY,
		__INT_PROD_COMP,
		BODY_ENDS_IN_URL,
		BODY_SIZE_1500_1599,
		BODYTEXTP_SIZE_3000_LESS,
		__MIME_TEXT_ONLY,
		RDNS_GENERIC_POOLED,
		HTML_00_01,
		HTML_00_10,
		BODY_SIZE_5000_LESS,
		RDNS_SUSP_GENERIC,
		RDNS_SUSP,
		BODY_SIZE_2000_LESS,
		BODY_SIZE_7000_LESS
X-Junkmail-Status: score=10/50, host=c2beaomr09.btconnect.com
X-Junkmail-Signature-Raw: score=unknown,
	refid=str=0001.0A0B020C.5058BD6C.0060:SCFSTAT14830815,ss=1,re=-4.000,fgs=0,
	ip=0.0.0.0,
	so=2011-07-25 19:15:43,
	dmn=2011-05-27 18:58:46,
	mode=multiengine
X-Junkmail-IWF: false
Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class
From: lester@lsces.co.uk (Lester Caine)

Andrew Faulds wrote:
>> No, he's not. Filtering and escaping are two very significant concepts in
>> security. Just because PHP implemented some escaping concepts into the filter
>> function does not mean that the concerns are co-related.
> Ah, again you see, I'm confusing things :) In the security context, English
> language context, and signal processing context, a filter removes. In computer
> science, but not computer security, it processes.
>
> I'm very confused :P

A filter simply takes an input and produces an output. There is nothing to say 
that the output can't be bigger than the input? I'd happily accept a filter that 
takes one language in and outputs a different one. Alright that filter requires 
a considerably more complex processing than taking a .css file and outputting it 
as a colour coded document, or taking a piece of raw tagged html and outputting 
in a format that allows it to be displayed rather than processed in the browser.

Certainly a dictionary definition of 'filter' always implies that a reduced set 
of material comes out, so perhaps we need to use a different word, for the 
process, but the same 'process' applies to all of these 'conversions'. An input 
data format is converted to an output data format?

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk