Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63125
Return-Path: <tomas.creemers@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 89859 invoked from network); 19 Sep 2012 06:11:25 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Sep 2012 06:11:25 -0000
Authentication-Results: pb1.pair.com smtp.mail=tomas.creemers@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=tomas.creemers@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender)
X-PHP-List-Original-Sender: tomas.creemers@gmail.com
X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com  
Received: from [209.85.160.42] ([209.85.160.42:51952] helo=mail-pb0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 65/12-05716-C0269505 for <internals@lists.php.net>; Wed, 19 Sep 2012 02:11:25 -0400
Received: by pbbrp8 with SMTP id rp8so1692750pbb.29
        for <internals@lists.php.net>; Tue, 18 Sep 2012 23:11:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=+1vg6pZCbkxO9Fd/NeyYKJM47r3vpy/hM/3+DbbQZ4c=;
        b=H7CnDFGc1yjwVdDoxXcWJPIBKihZvmnznUOG+xdZndnRAwqWauSc7qGRJ++vtd4Pno
         kaUabMDzs7Ip0xtJqJMYkXu9tCyK6aGmwkooAz4TDQxYytzmxccTZkwQJ8D4FOoAbr3J
         KSgbsJU1Y4gBTLVn+ijZaTWjXk8eWKRY5Oha4SKwKZd3CS8iGHAj5VAKWxjv0CgMSnPH
         0AQoT/lFsxAQyYntefX2/cWI/JFyDU9DgAo3wxj9CRFOrYaOKX2+kL7xQWg9sdiDw+6X
         Llkx/akaPpP6VSccPWGu88uFgAJjUM/VUTti6Tb6VOdeCtOAu5egHGkO5GCPDL1P9fb2
         GcEg==
MIME-Version: 1.0
Received: by 10.68.237.3 with SMTP id uy3mr4757246pbc.30.1348035082161; Tue,
 18 Sep 2012 23:11:22 -0700 (PDT)
Received: by 10.66.122.98 with HTTP; Tue, 18 Sep 2012 23:11:22 -0700 (PDT)
Date: Wed, 19 Sep 2012 08:11:22 +0200
Message-ID: <CAO1hux8mmUsy4badiNjxTGMubaduD1gkgbw4ZK1Me_MwGwLybA@mail.gmail.com>
To: internals@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: RFC: Implementing a core anti-XSS escaping class
From: tomas.creemers@gmail.com (Tomas Creemers)

Hi all,



If this is going to be implemented as a class, what is the advantage
of instantiation for this? Unless I'm missing it, I would propose that
the functions are made static.

In other words, I would prefer this:

echo Escaper::escapeHtml('<b>test</b>');


over this:

$e = new Escaper;
echo $e->escapeHtml('<b>test</b>');



Regards,

Tomas




> Hi all,
>
> I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper.
> The RFC is a proposal to implement a standardised means of escaping
> data which is being output into XML/HTML.
>
> Cross-Site Scripting remains one of the most common vulnerabilities in
> web applications and there is a continued lack of understanding
> surrounding how to properly escape data. To try and offset this, I've
> written articles, attempted to raise awareness and wrote the
> Zend\Escaper class for Zend Framework. Symfony 2's Twig has since
> adopted similar measures in line with its own focus on security.
>
> That's all. The RFC should be self-explanatory and feel free to pepper
> me with questions. As the RFC notes, I'm obviously not a C programmer
> so I'm reliant on finding a volunteer who's willing to take this one
> under their wing (or into their basement - whichever works).
>
> https://wiki.php.net/rfc/escaper
>
> Best regards,
> Paddy