Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63141 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 48334 invoked from network); 19 Sep 2012 15:36:27 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Sep 2012 15:36:27 -0000 Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender) X-PHP-List-Original-Sender: padraic.brady@gmail.com X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com Received: from [209.85.160.42] ([209.85.160.42:43340] helo=mail-pb0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 8D/95-15057-A76E9505 for ; Wed, 19 Sep 2012 11:36:27 -0400 Received: by pbbrp8 with SMTP id rp8so2726386pbb.29 for ; Wed, 19 Sep 2012 08:36:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=ihzg0Wq5JkaAI10A5zLPZHe2rTdPs2ffrsCnsHrMd5A=; b=xWy+5fBOjeTdTn0uSJ3AzLCi/gtVqE1VFMPchfRi6C6hEc9/DSBnTbYvd0EjzKNAIf mRoX3WlznWK5SD9IzIZPrUaEdJVWMroRapCEYO+MDUFZDywfmAzRckvrAjDx66WHHvNU SLmnmcR27AtgSH8T361aHBjZCRWIsjMPr/Yak5FIFC7CZfJ4QgSbwX3klzx0hVDeoVym 6EkDhEiAxh2fDo7tmmqlv+ZhsXTdrEHZfi4ZkY+JQNtapof3PGHH7fZ7795uqHpOFxPM 51qU+8gIJx3Vef1huujDglHspuynCmc1gUw7HLyDIJ9uEXQRSiJG8ZeehwlmSvIza7RL cm1Q== MIME-Version: 1.0 Received: by 10.68.241.232 with SMTP id wl8mr8368090pbc.112.1348068983872; Wed, 19 Sep 2012 08:36:23 -0700 (PDT) Received: by 10.66.73.42 with HTTP; Wed, 19 Sep 2012 08:36:23 -0700 (PDT) In-Reply-To: <5059E3A2.3090805@ajf.me> References: <5058AD25.8010304@mrclay.org> <5058AFD7.7080703@ajf.me> <5059E3A2.3090805@ajf.me> Date: Wed, 19 Sep 2012 16:36:23 +0100 Message-ID: To: Andrew Faulds Cc: Steve Clay , PHP Internals Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: padraic.brady@gmail.com (=?ISO-8859-1?Q?P=E1draic_Brady?=) >> Hi Steve, > > Who's he? :) Everybody knows Steve! :P I know at least 10! >> The ESAPI API uses encodeForHTML, encodeForCss, etc. We can name these >> in a few different styles which would all be semantically correct but >> my own sentiment is often to keep the naming simple. > > The naming is unclear just now though. Than I suggest including "For" in all of them. escapeForHtml, escapeForUrl, etc. That should clear it up somewhat that we're not targeting whole blocks of HTML/JS/CSS. >> For example, I'd prefer escapeForCss vs escapeCSSStringLiteral though >> both would be valid English literal alternatives to escapeCss. > > You can't just have escapeForCSS, you need two functions: one for CSS > identifier names (.identifier, #identifier, etc.), and one for CSS string= s > (background-image: url('string'); or content: 'string') Not really, the target here is breaking out of a CSS or HTML context. If you allow users to alter identifiers or properties than escaping is just wrong - you should be sanitising instead to make sure the CSS is still well formed and agrees to a whitelist of allowed ids/props. > Also, escapeForJS isn't very clear, you should explicitly specify you're > escaping a string of text for a JavaScript string literal. I don't think = you > can escape JS identifier names. JS is purely for literal values and not any JS variables/statements or anything else. Those can never ever be subject to any form of untrusted input. Paddy --=20 P=E1draic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team