Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63099
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 17845 invoked from network); 18 Sep 2012 18:40:32 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Sep 2012 18:40:32 -0000
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.170 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 209.85.217.170 mail-lb0-f170.google.com  
Received: from [209.85.217.170] ([209.85.217.170:33960] helo=mail-lb0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 09/ED-07072-020C8505 for <internals@lists.php.net>; Tue, 18 Sep 2012 14:40:32 -0400
Received: by lbbgp3 with SMTP id gp3so249838lbb.29
        for <internals@lists.php.net>; Tue, 18 Sep 2012 11:40:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=Yj9ltDiCJ92fDGLwjoNjQhLgDpV3+D7OyiMt8DSR0is=;
        b=lVXDPEyVuSlt9Q6WkZyjcigPrbnsATloskyIZp432+bs25nxorUhestV3md+nlJoTm
         mHmcxVHgusd+PwQVG8Xp0NbgUwrURFdeEDcopCnxSVAok9qILrXGJozvREuLUKIGFYWq
         S4T3o1BeAPgqk5neG/j2my4ijB1TVFj4/QlVqThcGHgiwKcsnqH9xjj95KTEoZ3o9lKI
         fe6LD5rDSdwZbR8funBQoQljd2VfsSFgcpdG559HDCWiazLrX0xv3YReGeUkZRn0I8vH
         9ST0kE1G2Sugb1Ksz6clRlmjQwVwVOBb5qXKj5BeY62d7AZNWjfc5JPl1Z3/lWE9TGFh
         5Xtw==
MIME-Version: 1.0
Received: by 10.112.46.10 with SMTP id r10mr241956lbm.13.1347993628781; Tue,
 18 Sep 2012 11:40:28 -0700 (PDT)
Received: by 10.114.22.1 with HTTP; Tue, 18 Sep 2012 11:40:28 -0700 (PDT)
In-Reply-To: <5058BBA6.4090702@sugarcrm.com>
References: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com>
	<5058A697.30903@sugarcrm.com>
	<CAAyV7nF82MW1gRpVpiVooCNyj7YE-eVDqjzqFX0m3X1J7Kp_UA@mail.gmail.com>
	<5058A8B8.3070404@sugarcrm.com>
	<5058A97A.4080900@ajf.me>
	<5058AABA.1040406@sugarcrm.com>
	<CAAyV7nHgJku5MqKY-D_Gk+DaSt-Wda3BJHsSzyS=yW6xENRi6w@mail.gmail.com>
	<5058B5A5.6090302@sugarcrm.com>
	<5058BA43.8010806@mrclay.org>
	<5058BBA6.4090702@sugarcrm.com>
Date: Tue, 18 Sep 2012 14:40:28 -0400
Message-ID: <CAAyV7nGZ2iinDUcUfsVeBxFC_2nF8TmbaDrMDQTK0dkmnLifow@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: Steve Clay <steve@mrclay.org>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=f46d040122e9672d7f04c9fe39dd
Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class
From: ircmaxell@gmail.com (Anthony Ferrara)

--f46d040122e9672d7f04c9fe39dd
Content-Type: text/plain; charset=ISO-8859-1

Stas,

On Tue, Sep 18, 2012 at 2:21 PM, Stas Malyshev <smalyshev@sugarcrm.com>wrote:

> Hi!
>
> > Filter has already gone down this road--I doubt the value added by
> having a second, much
> > more verbose way to call htmlspecialchars()--but I don't see why we must
> continue down
> > that path.
>
> So, you don't think there should be second, more verbose way to call
> htmlspecialchars - that's why we should add third, more verbose way to
> call htmlspecialchars? Somehow this does not sound convincing to me.


No, we shouldn't. We should stick with oddly named functions with dubiously
complicated parameter combinations that nobody gets right, because they are
already there, and that's good enough, right? </sarcasm>

Look. Just because it's possible, doesn't mean that it shouldn't be
improved. The filter API is great. It really is. But for escaping output,
it's basically useless because it's not designed for that. It's designed
for filtering data. You can use it for "sanitizing", but that's more of a
hack. For example, filter will only work on the default character set (
http://www.php.net/manual/en/ini.core.php#ini.default-charset). But I may
have other character sets that I talk to different systems on. And Filter
has no way of handling that.

Filtering is a global concern. Escaping is a context concern. There's a
huge difference.

You can keep cramming the escaping concerns into a global filter handler
all you want. Or we could stop, and think about designing proper APIs for a
change. Where the API imparts both implementation and semantic meaning. An
API where it's easy to see if a user gets it right or not.

Personally, I'd rather have a dedicated API. It's the only way that
semantic meaning of the API will be preserved.

In this case, I would start it as a PECL extension implementing the ESAPI
library. Get the API right, and prove it works, then pull it into core.

--f46d040122e9672d7f04c9fe39dd--