Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63120
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.170 as permitted sender)
MIME-Version: 1.0
In-Reply-To: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com>
References: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com>
Date: Tue, 18 Sep 2012 18:06:24 -0400
Message-ID: <CAJzDObfTGxePA8h_tCK__g25F6PRvndfpADZNg88c1M5znFS8Q@mail.gmail.com>
To: internals@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class
From: adamjonr@gmail.com (Adam Jon Richardson)

On Tue, Sep 18, 2012 at 7:30 AM, P=E1draic Brady <padraic.brady@gmail.com> =
wrote:
> Hi all,
>
> I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper.
> The RFC is a proposal to implement a standardised means of escaping
> data which is being output into XML/HTML.
>
> https://wiki.php.net/rfc/escaper

Some Quick Thoughts


Multiparadigm PHP

I hope any implementation would embrace procedural coding paradigms
AND OOP paradigms. I tend to code using a Functional Programming (FP)
style, and I don't need/want objects to be the only interface.


Extension First

It seems wise to get this working and tested as an extension first,
just as Rasmus and others suggested.



Ability To Pass Some HTML Through Without Escaping (Whitelisting)

Functions should allow whitelisting of elements when desired. For
example, html escaping may be desired for all elements in a paragraph
except for spans, br's, etc.

I've built a quick extension that I use in my web framework that does this:
https://github.com/AdamJonR/nephtali-php-ext

string nephtali_str_escape_html(string str [, array whitelist [,
string charset]])

The escaping works as outlined below:

1) Escape all html special characters in str.
2) Loop through whitelist items.
3a) If the item begins and ends with '/', consider it a regex and
replace the matches in the string with the original (htmlspecialchars
decoded) text (this works because <,>,",', and & are not meta
characters in regexes.)
3b) Otherwise, handle as a standard string and replace the matches
with the unescaped whitelist item text.

The idea is that, to be safe, everything should be first escaped.
Then, only unescape the items that match the whitelist (e.g.,
array('<p>','</p>','etc.').) The regex option is handy because you
often have situations where the internal contents of the tag vary
(e.g., id, class, href, etc.) and this allows you to pass these
through unescaped.

Of note, I've not officially released the extension, as I'm still
testing/developing it, but it serves as an example for ideas.


PHP Escaping-Specific Tags Could Be Considered

I wonder if PHP tags for escaping could be considered, as it seems
that there's still a plurality of developers that use PHP itself as
the templating language. For example:

// automatically echo'd and escaped for special html chars
 <?php:html $obj->val ?>

// automatcially echo'd and escaped for special html chars whilst
letting through p's
 <?php:html $obj->val, array('<p>','</p>') ?>

// automatcially echo'd and escaped for special html chars whilst
letting through p's and using different encoding
 <?php:html $obj->val, array('<p>','</p>'), $encoding =3D 'something' ?>

// automatcially echo'd and escaped for special html chars, no
whitelisting allowed
 <?php:attr $obj->val ?>

// automatcially echo'd and escaped for special url chars, no
whitelisting allowed
 <?php:url $obj->val ?>

Thanks,

Adam