Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63119 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 56981 invoked from network); 18 Sep 2012 21:05:15 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Sep 2012 21:05:15 -0000 Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 213.123.26.185 cause and error) X-PHP-List-Original-Sender: lester@lsces.co.uk X-Host-Fingerprint: 213.123.26.185 c2beaomr07.btconnect.com Received: from [213.123.26.185] ([213.123.26.185:38102] helo=mail.btconnect.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 77/36-07072-A02E8505 for ; Tue, 18 Sep 2012 17:05:15 -0400 Received: from host81-138-11-136.in-addr.btopenworld.com (EHLO _10.0.0.5_) ([81.138.11.136]) by c2beaomr07.btconnect.com with ESMTP id JBG69732; Tue, 18 Sep 2012 22:05:11 +0100 (BST) Message-ID: <5058E206.60501@lsces.co.uk> Date: Tue, 18 Sep 2012 22:05:10 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120604 Firefox/13.0 SeaMonkey/2.10 MIME-Version: 1.0 To: PHP Internals References: <5058A697.30903@sugarcrm.com> <5058A8B8.3070404@sugarcrm.com> <5058A97A.4080900@ajf.me> <5058AABA.1040406@sugarcrm.com> <5058B5A5.6090302@sugarcrm.com> <5058BA43.8010806@mrclay.org> <5058BBA6.4090702@sugarcrm.com> <5058C809.50005@lsces.co.uk> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mirapoint-IP-Reputation: reputation=Fair-1, source=Queried, refid=tid=0001.0A0B0302.5058E207.0004, actions=tag X-Junkmail-Premium-Raw: score=7/50, refid=2.7.2:2012.9.18.204518:17:7.944, ip=81.138.11.136, rules=__MOZILLA_MSGID, __HAS_MSGID, __SANE_MSGID, __HAS_FROM, __USER_AGENT, __MIME_VERSION, __TO_MALFORMED_2, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __SUBJ_ALPHA_END, __CT, __CT_TEXT_PLAIN, __CTE, __ANY_URI, __URI_NO_MAILTO, __URI_NO_WWW, __CP_URI_IN_BODY, BODY_ENDS_IN_URL, BODY_SIZE_3000_3999, __MIME_TEXT_ONLY, RDNS_GENERIC_POOLED, HTML_00_01, HTML_00_10, BODY_SIZE_5000_LESS, RDNS_SUSP_GENERIC, RDNS_SUSP, BODY_SIZE_7000_LESS X-Junkmail-Status: score=10/50, host=c2beaomr07.btconnect.com X-Junkmail-Signature-Raw: score=unknown, refid=str=0001.0A0B020B.5058E207.00FF:SCFSTAT14830815,ss=1,re=-4.000,fgs=0, ip=0.0.0.0, so=2011-07-25 19:15:43, dmn=2011-05-27 18:58:46, mode=multiengine X-Junkmail-IWF: false Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: lester@lsces.co.uk (Lester Caine) Anthony Ferrara wrote: > Lester, > > Basically if you are STORING XSS intrusions then you have badly designed > code as there is no reason that it would be stored. If you want to 'display' > suspect code, then it is 'escaped' before it is stored so preventing a > potential problem if another viewer accesses the raw data! > > > I wasn't going to reply to you, but this is just plain wrong. > > You should always consider ANYTHING that's outside the runtime of your > application (not in memory of the current instance) to be insecure. Feel free to > store XSS in your database. Because you're not going to trust it anyway. The > second you trust content in your database, you've opened more potential attack > vectors. > > The proper solution is to do context based escaping/encoding at the moment of > output. That way you can update your escaping code if you find a bug and all > your content will be protected. If you find a bug in your escaper when you > escape on input, how the heck to do you propose to fix it for all the content > already stored without looping over every single item and updating the DB table > (also a bad design). > > No, you should Filter In (make sure that content meets your domain criteria, eg > username alphanumeric, email looks like an email, etc), and Escape Out (prevent > Injection and XSS vulnerabilities when that data leaves your application). Any > other way of doing it is going to lead to attack vectors. But if you diligently > Escape Out, Injection and XSS are IMPOSSIBLE. And even if you have a bug in your > algorithm that allows an edge case, you can fix it once and have it fixed for good. > > And that doesn't even approach the problem where the same data will be used in > different output contexts (which require separate escaping mechanisms). Thereby > completely destroying any security you thought you had by pre-escaping. > > So no, you're wrong. It's badly designed code to escape HTML prior to storage. I have to strongly dispute that. I will NEVER store 'dirty' html in the database. In fact even ckeditor ensures that the stored data is clean and can be output raw if necessary. *IF* a forum post, blog or wiki need to store suspect code as an example then it should never be stored in it's dirty form. I HAVE to escape it to get it IN to the database as otherwise it will not be saved. But perhaps what I should point out here is that the formatting tags will not be escaped, only the free format text. That is the only way to ensure that users can't 'inject' extra tags into the pages manually. I could not handle escaping the user input in any other way? You can't simply 'escape' the output at all? -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk