Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63106
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 29984 invoked from network); 18 Sep 2012 19:14:22 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Sep 2012 19:14:22 -0000
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 213.123.26.186 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 213.123.26.186 c2beaomr08.btconnect.com  
Received: from [213.123.26.186] ([213.123.26.186:50440] helo=mail.btconnect.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 3C/80-07072-C08C8505 for <internals@lists.php.net>; Tue, 18 Sep 2012 15:14:21 -0400
Received: from host81-138-11-136.in-addr.btopenworld.com (EHLO _10.0.0.5_) ([81.138.11.136])
	by c2beaomr08.btconnect.com
	with ESMTP id IZP41135;
	Tue, 18 Sep 2012 20:14:17 +0100 (BST)
Message-ID: <5058C809.50005@lsces.co.uk>
Date: Tue, 18 Sep 2012 20:14:17 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120604 Firefox/13.0 SeaMonkey/2.10
MIME-Version: 1.0
To: PHP Internals <internals@lists.php.net>
References: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com> <5058A697.30903@sugarcrm.com> <CAAyV7nF82MW1gRpVpiVooCNyj7YE-eVDqjzqFX0m3X1J7Kp_UA@mail.gmail.com> <5058A8B8.3070404@sugarcrm.com> <5058A97A.4080900@ajf.me> <5058AABA.1040406@sugarcrm.com> <CAAyV7nHgJku5MqKY-D_Gk+DaSt-Wda3BJHsSzyS=yW6xENRi6w@mail.gmail.com> <5058B5A5.6090302@sugarcrm.com> <5058BA43.8010806@mrclay.org> <5058BBA6.4090702@sugarcrm.com> <CAAyV7nGZ2iinDUcUfsVeBxFC_2nF8TmbaDrMDQTK0dkmnLifow@mail.gmail.com>
In-Reply-To: <CAAyV7nGZ2iinDUcUfsVeBxFC_2nF8TmbaDrMDQTK0dkmnLifow@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mirapoint-IP-Reputation: reputation=Fair-1,
	source=Queried,
	refid=tid=0001.0A0B0303.5058C809.0080,
	actions=tag
X-Junkmail-Premium-Raw: score=7/50,
	refid=2.7.2:2012.9.18.184217:17:7.944,
	ip=81.138.11.136,
	rules=__MOZILLA_MSGID,
		__HAS_MSGID,
		__SANE_MSGID,
		__HAS_FROM,
		__USER_AGENT,
		__MIME_VERSION,
		__TO_MALFORMED_2,
		__BOUNCE_CHALLENGE_SUBJ,
		__BOUNCE_NDR_SUBJ_EXEMPT,
		__SUBJ_ALPHA_END,
		__CT,
		__CT_TEXT_PLAIN,
		__CTE,
		__ANY_URI,
		__URI_NO_MAILTO,
		__URI_NO_WWW,
		__CP_URI_IN_BODY,
		__STOCK_PHRASE_6,
		BODY_ENDS_IN_URL,
		BODYTEXTP_SIZE_3000_LESS,
		BODY_SIZE_2000_2999,
		__MIME_TEXT_ONLY,
		RDNS_GENERIC_POOLED,
		HTML_00_01,
		HTML_00_10,
		BODY_SIZE_5000_LESS,
		RDNS_SUSP_GENERIC,
		RDNS_SUSP,
		BODY_SIZE_7000_LESS
X-Junkmail-Status: score=10/50, host=c2beaomr08.btconnect.com
X-Junkmail-Signature-Raw: score=unknown,
	refid=str=0001.0A0B0208.5058C809.0168:SCFSTAT14830815,ss=1,re=-4.000,fgs=0,
	ip=0.0.0.0,
	so=2011-07-25 19:15:43,
	dmn=2011-05-27 18:58:46,
	mode=multiengine
X-Junkmail-IWF: false
Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class
From: lester@lsces.co.uk (Lester Caine)

Anthony Ferrara wrote:
> Personally, I'd rather have a dedicated API. It's the only way that
> semantic meaning of the API will be preserved.
>
> In this case, I would start it as a PECL extension implementing the ESAPI
> library. Get the API right, and prove it works, then pull it into core.

Sounds the right way to placate the people who prefer this approach to building 
code. We then have the option to leave it off if we don't use it ;) I've even 
got a stock distribution that does not include any MySQL core stuff now so I'm 
happy with this modular approach.

> You can keep cramming the escaping concerns into a global filter handler
> all you want. Or we could stop, and think about designing proper APIs for a
> change. Where the API imparts both implementation and semantic meaning. An
> API where it's easy to see if a user gets it right or not.

Looking at the output 'filtering' applied to my own systems, I am more than 
happy that ACTUALLY I eliminate the problems people are quoting here, XSS 
prevention, by ensuring that the data being STORED is cleaned up in a way that I 
don't need to 'escape' anything. I do need to be able to 'encode' the output 
date to correctly display it but nothing in that process should be able to 
create an XSS problem? I do apply 'filtering' to the html tags which removes 
those that I do not want to be stored in page content, and css is similarly 
processed, so we have a run time dictionary that controls the processing rather 
than that being hard coded in the filters.

Basically if you are STORING XSS intrusions then you have badly designed code as 
there is no reason that it would be stored. If you want to 'display' suspect 
code, then it is 'escaped' before it is stored so preventing a potential problem 
if another viewer accesses the raw data!

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk