Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63104
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 25583 invoked from network); 18 Sep 2012 19:06:59 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Sep 2012 19:06:59 -0000
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.219.42 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.219.42 mail-oa0-f42.google.com  
Received: from [209.85.219.42] ([209.85.219.42:44232] helo=mail-oa0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 7F/8F-07072-356C8505 for <internals@lists.php.net>; Tue, 18 Sep 2012 15:06:59 -0400
Received: by oagh2 with SMTP id h2so250544oag.29
        for <internals@lists.php.net>; Tue, 18 Sep 2012 12:06:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=4RU2YDs1RXsA/NAq0SDdIfRsF4cFHY7nUdZkq19tL9A=;
        b=BfZlcW3Z0Y/6byYQvohIYWDBD3H3gL9IfMWcYQWV/jiDp4aomVeJEzqgXvkZOQBPK1
         AhKKqnaOrI6iXLDZvmGdAqXkYDOMXSzwKPzZYsgH1Th0mvUkOcvwgC/rwxWY5YDDQBwj
         2GZZb7xA7LnxsEyvQNmezptcTUkiTTTJ9k8DOOvTsyTiT+nDkO7ANZxkCJ5Hu7OOIQbm
         PeLJ1zDpOnjl9YjCPnmfu9yOMESU6SgS02EVc7dP3emTo/+oc3ngpz1aRFSberiXEjG7
         a3QpvHEqurgFEz8iyC9y7VmxlB3V3fJ6iho3rY7vr4fjmXrKJhgeXjvtt9N9wX5ZlqFk
         pXzA==
MIME-Version: 1.0
Received: by 10.182.74.68 with SMTP id r4mr1223404obv.31.1347995216520; Tue,
 18 Sep 2012 12:06:56 -0700 (PDT)
Received: by 10.76.7.84 with HTTP; Tue, 18 Sep 2012 12:06:56 -0700 (PDT)
In-Reply-To: <5058B7A3.3030708@gmail.com>
References: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com>
	<5058B7A3.3030708@gmail.com>
Date: Tue, 18 Sep 2012 20:06:56 +0100
Message-ID: <CALwr1G=1_6-E9UaZtspDmFUZRkg1rZH+uQU62suh54rPJs-8Ug@mail.gmail.com>
To: =?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= <keisial@gmail.com>
Cc: "internals@lists.php.net >> PHP Developers Mailing List" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class
From: padraic.brady@gmail.com (=?ISO-8859-1?Q?P=E1draic_Brady?=)

Hi =C1ngel,

The methods all refer to literal strings, values or digits. We can't
reasonably escape data while allowing valid markup for the current
context since that's a contradiction by its very nature. If you needed
to let user values drive CSS names, Javascript functions or variable
naming, or HTML markup, you need something completely different. For
example, HTML markup can be sanitised against a whitelist using
HTMLPurifier.

> I'm fine with the concept, but I'm not sold on the interface.
> It should be really clear when each of them should be used.
>
> escapeHtml()
> Ok, this is going to be used to show content inside a html document.
>
> escapeHtmlAttr()
> Use when using unquoted html attributes, otherwise use html escaping.
> When was the last time I saw an unquotted attribute with user-provided co=
ntent?

Hopefully never since that's the ideal ;). However, HTML5 allows
unquoted attributes which is perfectly valid. We don't make the user's
choice on this but we could provide the relevant tool for escaping if
they are completely and irredeemably insane :P.

> I think it should be replaced by a quoteHtmlAttr() function which properl=
y
> escapes the content and adds the quotes for you (or it might skip them
> if it determines it's not needed in this case).

The RFC focuses on escaping - not sanitising or reformatting.

> escapeJs()
> Escape javascript... but inside <script> tags, I guess? So it's not to
> be used
> for dynamically generated javascript. Not so clear.

Javascript literal strings (as defined by the standard).

> escapeCss()
> I'm not even sure in which cases would this be needed. Standalone CSS,
> inside
> a <style> tag, as style=3D"" attribute?

CSS values like a font size or background color. If user data is
allowed to alter names or any other CSS markup, you would need
sanitisation rather than escaping.

> escapeUrl()
> "It is included primarily for consistency". When do I need to use
> escapeUrl and
> when escapeHtml? What if it's an url inside a css tag inside a html
> document?

Basically any URL inside any attribute. It encodes part of a URL - the
overall URL would still need to be validated separately.

> It makes things more confusing, so I'd remove it.

Needs to be included to maintain consistency in having a full set of
go-to escapers.

> It should be clear what you are passing to that function and in which
> context
> it expects you to leave the output.

It might not be obvious but these are very straightforward to link to
specific contexts. Here's the clearest explanation of where all of
this fits into templating:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_C=
heat_Sheet

I should probably add that as a link to the RFC (Anthony will finally
get an ESAPI reference out of me ;)).

Paddy



--=20
P=E1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team