Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63135
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 29185 invoked from network); 19 Sep 2012 13:50:17 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Sep 2012 13:50:17 -0000
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com  
Received: from [209.85.160.42] ([209.85.160.42:39503] helo=mail-pb0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D1/22-15057-79DC9505 for <internals@lists.php.net>; Wed, 19 Sep 2012 09:50:16 -0400
Received: by pbbrp8 with SMTP id rp8so2498826pbb.29
        for <internals@lists.php.net>; Wed, 19 Sep 2012 06:50:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=A3pcCCu+KI3j1bM8Kwu3+7HLek+M8koc1O9XGC7mPMY=;
        b=gIGYj6ufZ73OMvf3JqlY3DdBlDfoGLUC6ThREQLqHPypGUwsgyi7beY8B9ywaJjZ0d
         b4P6NVJRU3Gte1+zcjcKP3mopdIm/pAxQ+q6/dxqpAya0ixhc9kqudiHgFRS/9nLuN/P
         zRMORuOYfkMr2rxcyl8aQeaHUU9/az2OCZgFloDMyR38yesL4g58Qe/JHie6JVNnwIdA
         Bx95r4tz/FPr5ciPWfCJSD/hNnMYUj/jc1EaQnzT/BKwQqMCX7i1yjs5MsdQILp8wQYh
         PWRfLLf9XEKgLsv5pSj3m8i00dK0M3dpaql70Cq7s2BPyHUAJpNhQD9QohohBWw9vObG
         bMsQ==
MIME-Version: 1.0
Received: by 10.66.75.106 with SMTP id b10mr6904849paw.73.1348062611914; Wed,
 19 Sep 2012 06:50:11 -0700 (PDT)
Received: by 10.66.73.42 with HTTP; Wed, 19 Sep 2012 06:50:11 -0700 (PDT)
In-Reply-To: <CAO1hux9t9refYHYnKhY0725MvRm88ab85Ng23LCvnjDJxqQA7g@mail.gmail.com>
References: <CAO1hux8mmUsy4badiNjxTGMubaduD1gkgbw4ZK1Me_MwGwLybA@mail.gmail.com>
	<CALtuQzC4e2Sn_BHinFAPdVrz8Oc_d6wCqTr=AscMChH29NSENw@mail.gmail.com>
	<CAO1hux9+4QK2sVX9+4110ksa9qDpUpfDhFJvyzkXcBHrFoFWvg@mail.gmail.com>
	<0960EAA5-17FF-4E0F-9DDE-BB93D13EA02B@gmail.com>
	<CAO1hux9t9refYHYnKhY0725MvRm88ab85Ng23LCvnjDJxqQA7g@mail.gmail.com>
Date: Wed, 19 Sep 2012 14:50:11 +0100
Message-ID: <CALwr1GnjjjMbK8-VkVO57meDAgDn8PSPoWdj2DjYMB7F01dP4Q@mail.gmail.com>
To: Tomas Creemers <tomas.creemers@gmail.com>
Cc: Sebastian Krebs <krebs.seb@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Re: RFC: Implementing a core anti-XSS escaping class
From: padraic.brady@gmail.com (=?ISO-8859-1?Q?P=E1draic_Brady?=)

No need to apologise ;). Just wanted to clarify that the character
encoding drives the choice of class since it can be easy to miss its
importance - amended the RFC a little to highlight it.

Paddy

On Wed, Sep 19, 2012 at 12:55 PM, Tomas Creemers
<tomas.creemers@gmail.com> wrote:
> On Wed, Sep 19, 2012 at 9:58 AM, P=E1draic Brady <padraic.brady@gmail.com=
> wrote:
>> You did notice the character encoding parameter to the constructor? The =
point of the class is to share that little piece of state and omit it as a =
required method parameter thus removing one OOP layer for those practicing =
OOP like all the major frameworks.
>>
>> The RFC notes already that character encoding parameters are NOT optiona=
l. They MUST be set on each call outside of the class to enforce explicitne=
ss and prevent the currently popular option of imposing a non-configurable =
default in libs and frameworks. Character encoding is important in escaping=
 and assuming that they are interchangeable doesn't always fit the reality =
of browser behaviour and bugs.
>>
>> This would apply to static calls as much as plain functions.
>>
>> Paddy
>
> I missed the encoding parameter. While it's still possible to add that
> to a static-only class, that would be more cumbersome and less correct
> than instantiation (since the encoding is state, technically). My
> apologies. Carry on ;-)
>
> Tomas
>
>
>> On 19 Sep 2012, at 08:39, Tomas Creemers <tomas.creemers@gmail.com> wrot=
e:
>>
> [snip]
>>>
>>> I really don't see what class instantiation would add to this design
>>> (if it's going to be a class at all). It doesn't have
>>> instance-specific state.
>>>
>>>
>>> Regards,
>>> Tomas
>>>
>>> --
>>> PHP Internals - PHP Runtime Development Mailing List
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>



--=20
P=E1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team