Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63126 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 92201 invoked from network); 19 Sep 2012 06:35:03 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Sep 2012 06:35:03 -0000 Authentication-Results: pb1.pair.com smtp.mail=krebs.seb@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=sebastian.krebs.berlin@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.83.42 as permitted sender) X-PHP-List-Original-Sender: krebs.seb@gmail.com X-Host-Fingerprint: 74.125.83.42 mail-ee0-f42.google.com Received: from [74.125.83.42] ([74.125.83.42:56926] helo=mail-ee0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 8B/72-05716-69769505 for ; Wed, 19 Sep 2012 02:35:03 -0400 Received: by eekb15 with SMTP id b15so223905eek.29 for ; Tue, 18 Sep 2012 23:34:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:x-google-sender-delegation:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type; bh=m0x9iYLG+6lTt2h2m9Af/HuqnWPV19B7Oss12Hu8RFQ=; b=Ib0ZnOaJ3/3PGyRcoWC627hZSl5g8fLFaqdmipqdz3vhyC4jnaR0KX5Bo0h7C4ozmD RDR0pCgjHQk58TOdDzDIQgSu3aHnpeMcvOwenCIwN5vsdKduNbe689l7udO9vdbZv0KL txUQ2nazCivRynKd89c4Sk3cv3Lv3df2rfLP7tzSauHx9Pi4a8G+kzlVB8Jgr/99Wn7Z GIDCyBaR2vpPtwAsCoMPRK/3eHnbaMBMXgzRxDWPt50AxizI2Ux81WMc3dtgLmAYF3v6 7Pdh5OVmkt481sFO+0ohliGOsbmPQxIVzmW1SIcOxJqUrf3GcqZLOvHyXPhyQiBxiviN gTng== MIME-Version: 1.0 Received: by 10.14.193.129 with SMTP id k1mr2427676een.13.1348036499696; Tue, 18 Sep 2012 23:34:59 -0700 (PDT) Sender: sebastian.krebs.berlin@gmail.com X-Google-Sender-Delegation: sebastian.krebs.berlin@gmail.com Received: by 10.14.176.73 with HTTP; Tue, 18 Sep 2012 23:34:59 -0700 (PDT) In-Reply-To: References: Date: Wed, 19 Sep 2012 08:34:59 +0200 X-Google-Sender-Auth: 7R23SCl0H9RpmMXgcYBevNzcebs Message-ID: To: Tomas Creemers Cc: internals@lists.php.net Content-Type: multipart/alternative; boundary=047d7b343b20b56dc904ca083402 Subject: Re: [PHP-DEV] Re: RFC: Implementing a core anti-XSS escaping class From: krebs.seb@gmail.com (Sebastian Krebs) --047d7b343b20b56dc904ca083402 Content-Type: text/plain; charset=ISO-8859-1 2012/9/19 Tomas Creemers > Hi all, > > > > If this is going to be implemented as a class, what is the advantage > of instantiation for this? Unless I'm missing it, I would propose that > the functions are made static. > > In other words, I would prefer this: > > echo Escaper::escapeHtml('test'); > > > over this: > > $e = new Escaper; > echo $e->escapeHtml('test'); > > > > Regards, > > Tomas > Hi, I guess the reason is the same like the one, why you just should avoid static methods at all. But only one example: Try to extend the class and then _always_ use the extended one ;) Regards, Sebastian > > > > > Hi all, > > > > I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper. > > The RFC is a proposal to implement a standardised means of escaping > > data which is being output into XML/HTML. > > > > Cross-Site Scripting remains one of the most common vulnerabilities in > > web applications and there is a continued lack of understanding > > surrounding how to properly escape data. To try and offset this, I've > > written articles, attempted to raise awareness and wrote the > > Zend\Escaper class for Zend Framework. Symfony 2's Twig has since > > adopted similar measures in line with its own focus on security. > > > > That's all. The RFC should be self-explanatory and feel free to pepper > > me with questions. As the RFC notes, I'm obviously not a C programmer > > so I'm reliant on finding a volunteer who's willing to take this one > > under their wing (or into their basement - whichever works). > > > > https://wiki.php.net/rfc/escaper > > > > Best regards, > > Paddy > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > -- github.com/KingCrunch --047d7b343b20b56dc904ca083402--