Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63108 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 33545 invoked from network); 18 Sep 2012 19:28:56 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Sep 2012 19:28:56 -0000 Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.219.42 as permitted sender) X-PHP-List-Original-Sender: padraic.brady@gmail.com X-Host-Fingerprint: 209.85.219.42 mail-oa0-f42.google.com Received: from [209.85.219.42] ([209.85.219.42:37865] helo=mail-oa0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 19/41-07072-67BC8505 for ; Tue, 18 Sep 2012 15:28:55 -0400 Received: by oagh2 with SMTP id h2so276904oag.29 for ; Tue, 18 Sep 2012 12:28:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=9XtcPLjtSmecbPQ4FB4hbF5HVT+ocgNFt5iTCGqmRD4=; b=AXvT8ScBYAA1TSTK2u9tacsybnzRa0E2owxVnB67bYdFCux/xJSSgf6p2J1hhaULAm wGv4uWj6AmJ0aBngVtoxVpsDcqCyS5MRVfAM5cJzAdMYaduJVYGVuf1rU4haM+q1koJx /blra7y9JUt4kFVZwuSljIowjHAZRn2O9N6+bqfPryx09PkRn7+9tBBENjE/pzEJnqMb 6KgnTdO2AGXVAXKtk4xuTb9+DJ3Eqg6NlXrdydQQEL0vEv70mTSZVGurYoqAkT2IU0y/ vDZ46jFuWOwhgm2Zjdw28HpGqsBYCUvR6aBNCAiTTwIJeVAsPMo1LkHROxzQsOvmhiCD SSCQ== MIME-Version: 1.0 Received: by 10.60.8.39 with SMTP id o7mr1159957oea.122.1347996530720; Tue, 18 Sep 2012 12:28:50 -0700 (PDT) Received: by 10.76.7.84 with HTTP; Tue, 18 Sep 2012 12:28:50 -0700 (PDT) In-Reply-To: <5058BECC.8080409@lerdorf.com> References: <5058A697.30903@sugarcrm.com> <5058A8B8.3070404@sugarcrm.com> <5058A97A.4080900@ajf.me> <5058AABA.1040406@sugarcrm.com> <5058B5A5.6090302@sugarcrm.com> <5058BA43.8010806@mrclay.org> <5058BBA6.4090702@sugarcrm.com> <5058BECC.8080409@lerdorf.com> Date: Tue, 18 Sep 2012 20:28:50 +0100 Message-ID: To: Rasmus Lerdorf Cc: Stas Malyshev , Steve Clay , PHP Internals Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: padraic.brady@gmail.com (=?ISO-8859-1?Q?P=E1draic_Brady?=) Hi Rasmus, On Tue, Sep 18, 2012 at 7:34 PM, Rasmus Lerdorf wrote: > If we want to add more filters for more specific purposes, I am not > completely against it, although the more specific they get the more > churn there will be. We are not going to be able to kick out weekly > releases to address every new nuance of these very specific filters. But > they should be implemented as filters compatible with the filter > extension so people can use them within that existing context. That > doesn't preclude a more approachable function alias from also calling > them, of course, much like the htmlspecialchars case. I feel it needs to be reiterated that the escaper rules are very predictable and very seldom change as the regular expressions in the Zend\Escaper class demonstrate. Each is bound to official standards for Javascript, CSS and HTML respectively and most of the rules, defined using the OWASP's recommendations as implemented in ESAPI, are really clearcut - escape everything except alphanumerics and a small range of "safe" characters (CSS even has NO safe chars outside alphanumerics). HTML and URL encoding are the only permissive variants and these are already well known in PHP. Paddy --=20 P=E1draic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team