Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63136 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 31372 invoked from network); 19 Sep 2012 14:07:47 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Sep 2012 14:07:47 -0000 Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender) X-PHP-List-Original-Sender: padraic.brady@gmail.com X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com Received: from [209.85.160.42] ([209.85.160.42:57489] helo=mail-pb0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D8/72-15057-2B1D9505 for ; Wed, 19 Sep 2012 10:07:47 -0400 Received: by pbbrp8 with SMTP id rp8so2534452pbb.29 for ; Wed, 19 Sep 2012 07:07:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=pKyEOR2/qm/izVt+KC/pdDwi1/zS/Q0ugHl5ehBsPAI=; b=a7PHq36tEPLAzDTs8BhlHHyuobAnZkFp3NJjw4UB7FIomzotrL+glc/aPzOMmKgApw Dm35td0Z8dRsGipFtfrh+gA43/pAOA8ObNUWc4gFN89ll/HTHujIuowde7rocFfagE9U Ut53zouO336gZ1vQW1Dy4fMuK5vVkER+o0Ntuefv1+4AT84bI4FE0cqr0EFePCAwuUJ9 T0bcfgOT2MZ3BP+dBZBLl2PD5GTqnnjUGrmmH238VQjihWb38wYU4ckjYlxGPN4bODj5 ONB34lUF0juaykb4sMhcpZlExKGiuwp+g6HPc3GKNbfnjpEA5JoylWqNNtUXmGOmZdCj tB0A== MIME-Version: 1.0 Received: by 10.68.241.232 with SMTP id wl8mr7711268pbc.112.1348063664163; Wed, 19 Sep 2012 07:07:44 -0700 (PDT) Received: by 10.66.73.42 with HTTP; Wed, 19 Sep 2012 07:07:43 -0700 (PDT) In-Reply-To: <5058AFD7.7080703@ajf.me> References: <5058AD25.8010304@mrclay.org> <5058AFD7.7080703@ajf.me> Date: Wed, 19 Sep 2012 15:07:43 +0100 Message-ID: To: Andrew Faulds Cc: Steve Clay , PHP Internals Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: padraic.brady@gmail.com (=?ISO-8859-1?Q?P=E1draic_Brady?=) Hi Steve, Missed this one in the rush of emails... > I echo this. I think some clearer names might help, I think something lik= e > these: > > escapeHTMLAttribute for attributes, escapeHTMLText for text inside > tags, escapeXMLAttribute and escapeXMLContent, escapeJSStringLiteral, > escapeCSSIdentifier, and another needs adding (for url('*') things), > escapeCSSStringLiteral. The ESAPI API uses encodeForHTML, encodeForCss, etc. We can name these in a few different styles which would all be semantically correct but my own sentiment is often to keep the naming simple. For example, I'd prefer escapeForCss vs escapeCSSStringLiteral though both would be valid English literal alternatives to escapeCss. It's also worth bearing in mind that these escaping functions are distinct and separate from the concept of sanitisation or a sanitising filter. For each escaping option there is a sanitisation alternative where untrusted input (whether from a user, database or 3rd party service) contains markup you want to allow through "unescaped". For example, a feed aggregator would need to output HTML from a 3rd party feed and it may contain URLs that also need to be validated. HTML, of course, has HTMLPurifier - easily the best HTML sanitiser. URLs must always be validated to a known good whitelist (not filter_var() only). CSS can also be sanitised if the user has access to properties and not just the property values. Paddy --=20 P=E1draic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team