Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63109 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 35052 invoked from network); 18 Sep 2012 19:29:53 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Sep 2012 19:29:53 -0000 Authentication-Results: pb1.pair.com smtp.mail=mikegstowe@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=mikegstowe@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.170 as permitted sender) X-PHP-List-Original-Sender: mikegstowe@gmail.com X-Host-Fingerprint: 209.85.217.170 mail-lb0-f170.google.com Received: from [209.85.217.170] ([209.85.217.170:44706] helo=mail-lb0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 15/A1-07072-0BBC8505 for ; Tue, 18 Sep 2012 15:29:52 -0400 Received: by lbbgp3 with SMTP id gp3so286114lbb.29 for ; Tue, 18 Sep 2012 12:29:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=vM7T2Tk2QXtVq+bT8wmwivBYJLECleHWVb28O0X4r6k=; b=HWkpPql5SLD6h/jZaWL3JVZ9hTNmnehe4CORqRpVFZtmaRm7gD/tFyMl0jARY6sjHI Kk+6TKMRdHvj7r/w1AJ+22Il5Wg7T1cZ4Oz8L4Ee6ZS0Ji3bw4aqLFTtvhi8Bs/a4JOo QIj7arbcuXhwC6kT4ZpmbJOH3M4Ikf52NysMeUGpqhBISGXKguoKQoKeSVUJ7DD+zMng eh7wkDTAnReSz5X1l5E/yGKBkvveYOIIc8xvOVKoEO/VrZ/ISU6x4Cs1xQipqcXrrlze FA8scrO2aJno3CSIMDeHNWWav2/tabjRzO1DLUZzN7RRyCBduOH/MF/hRpRfmST18JaQ mF0A== Received: by 10.112.82.170 with SMTP id j10mr288614lby.8.1347996589078; Tue, 18 Sep 2012 12:29:49 -0700 (PDT) MIME-Version: 1.0 Sender: mikegstowe@gmail.com Received: by 10.114.6.105 with HTTP; Tue, 18 Sep 2012 12:29:28 -0700 (PDT) In-Reply-To: <5058C809.50005@lsces.co.uk> References: <5058A697.30903@sugarcrm.com> <5058A8B8.3070404@sugarcrm.com> <5058A97A.4080900@ajf.me> <5058AABA.1040406@sugarcrm.com> <5058B5A5.6090302@sugarcrm.com> <5058BA43.8010806@mrclay.org> <5058BBA6.4090702@sugarcrm.com> <5058C809.50005@lsces.co.uk> Date: Tue, 18 Sep 2012 14:29:28 -0500 X-Google-Sender-Auth: qfNj9HHgBZjdWFXRe_W4D_WEdrE Message-ID: To: Lester Caine Cc: PHP Internals Content-Type: multipart/alternative; boundary=f46d04016c23d9ba8d04c9fee939 Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: me@mikestowe.com (Michael Stowe) --f46d04016c23d9ba8d04c9fee939 Content-Type: text/plain; charset=ISO-8859-1 *Basically if you are STORING XSS intrusions then you have badly designed code as there is no reason that it would be stored. If you want to 'display' suspect code, then it is 'escaped' before it is stored so preventing a potential problem if another viewer accesses the raw data!* While that is true, there is always the risk of code being injected into your data-store through another source or being initially bypassed somewhere on your script. So yes, you absolutely want to have the correct filters and sanitation in place prior to storing, but as an added precaution I think it is wise to be always escaping data prior to output as well. - Mike On Tue, Sep 18, 2012 at 2:14 PM, Lester Caine wrote: > Anthony Ferrara wrote: > >> Personally, I'd rather have a dedicated API. It's the only way that >> semantic meaning of the API will be preserved. >> >> In this case, I would start it as a PECL extension implementing the ESAPI >> library. Get the API right, and prove it works, then pull it into core. >> > > Sounds the right way to placate the people who prefer this approach to > building code. We then have the option to leave it off if we don't use it > ;) I've even got a stock distribution that does not include any MySQL core > stuff now so I'm happy with this modular approach. > > > You can keep cramming the escaping concerns into a global filter handler >> all you want. Or we could stop, and think about designing proper APIs for >> a >> change. Where the API imparts both implementation and semantic meaning. An >> API where it's easy to see if a user gets it right or not. >> > > Looking at the output 'filtering' applied to my own systems, I am more > than happy that ACTUALLY I eliminate the problems people are quoting here, > XSS prevention, by ensuring that the data being STORED is cleaned up in a > way that I don't need to 'escape' anything. I do need to be able to > 'encode' the output date to correctly display it but nothing in that > process should be able to create an XSS problem? I do apply 'filtering' to > the html tags which removes those that I do not want to be stored in page > content, and css is similarly processed, so we have a run time dictionary > that controls the processing rather than that being hard coded in the > filters. > > Basically if you are STORING XSS intrusions then you have badly designed > code as there is no reason that it would be stored. If you want to > 'display' suspect code, then it is 'escaped' before it is stored so > preventing a potential problem if another viewer accesses the raw data! > > > -- > Lester Caine - G8HFL > ----------------------------- > Contact - http://lsces.co.uk/wiki/?page=**contact > L.S.Caine Electronic Services - http://lsces.co.uk > EnquirySolve - http://enquirysolve.com/ > Model Engineers Digital Workshop - http://medw.co.uk > Rainbow Digital Media - http://rainbowdigitalmedia.co.**uk > > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > -- ----------------------- "My command is this: Love each other as I have loved you." John 15:12 ----------------------- --f46d04016c23d9ba8d04c9fee939--