Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63114 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 43467 invoked from network); 18 Sep 2012 20:11:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Sep 2012 20:11:07 -0000 Authentication-Results: pb1.pair.com smtp.mail=dragoonis@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=dragoonis@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.170 as permitted sender) X-PHP-List-Original-Sender: dragoonis@gmail.com X-Host-Fingerprint: 209.85.214.170 mail-ob0-f170.google.com Received: from [209.85.214.170] ([209.85.214.170:34588] helo=mail-ob0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 85/53-07072-955D8505 for ; Tue, 18 Sep 2012 16:11:06 -0400 Received: by obbwc18 with SMTP id wc18so339207obb.29 for ; Tue, 18 Sep 2012 13:11:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=ZEGYyeezhCMnFgDe+HIQeR4f1sdIhBft+G8yrHRTCKw=; b=Ho5khgSrOyupuf+YkbZX2lbjYj8bWOSBAUYMnzmS5o3XhVrgF6QWEMzVKd0gEGtvMT 9N14qCBzcg5ERMWICKnndQZLsTdqQPkmSlPpvoLfXgSgGm/TPasjWOHJoOy6dKm93mpr IVxc5S5nsgljkHUWGjaRoDejBuy6PlBWqQjUrz0NHv/XSQ2risHd55ZZ2FNmPHUv7niS LMKebkdLDCu1ofHVHp87m3IMrwrmCk30eRjSbQ+Dlmb1ffhVPg7kkiB48DIaMecLiNbf Hhnikkw/Gn0O6SHwvpb640O/eDJvqvkIChwzkj7d2Yo4a1Abz+pXZgfNgEfUPgr0WKvI +cmA== MIME-Version: 1.0 Received: by 10.60.32.136 with SMTP id j8mr1482852oei.0.1347999063052; Tue, 18 Sep 2012 13:11:03 -0700 (PDT) Received: by 10.60.18.164 with HTTP; Tue, 18 Sep 2012 13:11:02 -0700 (PDT) In-Reply-To: <5058D070.1030605@lerdorf.com> References: <5058A697.30903@sugarcrm.com> <5058A8B8.3070404@sugarcrm.com> <5058A97A.4080900@ajf.me> <5058AABA.1040406@sugarcrm.com> <5058B5A5.6090302@sugarcrm.com> <5058BA43.8010806@mrclay.org> <5058BBA6.4090702@sugarcrm.com> <5058BECC.8080409@lerdorf.com> <5058CE31.5060401@lerdorf.com> <5058D070.1030605@lerdorf.com> Date: Tue, 18 Sep 2012 21:11:02 +0100 Message-ID: To: Rasmus Lerdorf Cc: PHP Internals Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: dragoonis@gmail.com (Paul Dragoonis) On Tue, Sep 18, 2012 at 8:50 PM, Rasmus Lerdorf wrote: > On 09/18/2012 03:46 PM, P=E1draic Brady wrote: >> Bear in mind the RFC, in userland (and likely any PECL ext) implements >> the ESAPI rules. They've been hacked on a lot over the years which is >> why I made sure they were followed exactly. It's very unlikely that a >> browser bug could scupper these unless they allowed in more unencoded >> characters to be taken advantage of. There are benefits to reusing >> pre-peer review rules. > > Sure, but you have potential for buffer overflows, regex > backtrack/recursion issues and general programming errors when this > moves to C. I guarantee there will be dozens of bugs in the first > version no matter who writes it. Hi Rasmus, The existing implementations at symfony\zend are working pretty well. They're using string manipulation and regex functions. If we port it to C, can't we still use the exact same functions that the PHP_FUNCTION() macros are calling to pretty much clone it. Would this minimise the amount of change (if any) ? - Paul > > -Rasmus > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >