Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63143 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 53302 invoked from network); 19 Sep 2012 16:06:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Sep 2012 16:06:48 -0000 Authentication-Results: pb1.pair.com smtp.mail=mike503@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=mike503@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender) X-PHP-List-Original-Sender: mike503@gmail.com X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com Received: from [209.85.160.42] ([209.85.160.42:50011] helo=mail-pb0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 8F/76-15057-89DE9505 for ; Wed, 19 Sep 2012 12:06:48 -0400 Received: by pbbrp8 with SMTP id rp8so2794668pbb.29 for ; Wed, 19 Sep 2012 09:06:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to; bh=Cs4DXEB5Md81/zSy+Q08yqwMZiqiD5aNssIe9ac6/Jw=; b=MOkuz5HETgzjRdgnxBKL/ogUaTOizZohoZDifp3gBNWWfD0egXO+k35h1w/P+AM+UW QWo/Yh5RsCm023JkOk6Y4k7DrY3Eb/6Ix+U2x3tyKRTtEbBYyIFimrN6vo226PFYWrUs IgBjggIozqQxJvQm2XqM2zoIH//cwdDRwc2a0wAdxrrdRvlMdVJpyhp+FiIZ8Ape6izP yEJgwwUNKBCNpRgie+aRq9ELx+4sueR/RHgSpRPZhFYlEixGyw5+jsJbQI4r6BUZag06 cCkAcEDwAbaweuim4fdXDmub8wX99UZCWHNPCBdjCZrwYuW697hcM2Nad1o0XB7xrC5R ALTA== Received: by 10.68.197.70 with SMTP id is6mr8666410pbc.64.1348070805785; Wed, 19 Sep 2012 09:06:45 -0700 (PDT) Received: from [192.168.1.152] (static-50-53-5-173.bvtn.or.frontiernet.net. [50.53.5.173]) by mx.google.com with ESMTPS id kj10sm2044136pbc.72.2012.09.19.09.06.43 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 19 Sep 2012 09:06:44 -0700 (PDT) References: <0960EAA5-17FF-4E0F-9DDE-BB93D13EA02B@gmail.com> In-Reply-To: Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-ID: <72B22976-6F00-4EF5-88B3-140576CFE4E7@gmail.com> Cc: "internals@lists.php.net" X-Mailer: iPhone Mail (9B206) Date: Wed, 19 Sep 2012 09:06:43 -0700 To: Leigh Subject: Re: [PHP-DEV] Re: RFC: Implementing a core anti-XSS escaping class From: mike503@gmail.com (Michael Shadle) > It feels like this is just using classes for the sake of using > classes, adding an unnecessary layer of complexity (and discussion) > for no real reason except that is the RFC authors preference. +1 First the discussion was filtering vs escaping. Now it is about how to imple= ment it as a class etc. I don't understand why people have any issue with it being a core procedural= function. You can call that from your OO code just fine. Just like any othe= r core procedural function. There is no reason it has to be OO. OO has to call procedural functions alre= ady (string functions, array functions, curl, json, etc etc); but us procedu= ral purists don't have to call OO methods and classes if we don't need to (e= xcept now some of the DateTime IIRC which bugs me :p) Anyway how hard is it to use something akin to the filter functions? That's w= hat constants/flags are for. Call it str_escape(string, flags optional, encoding optional) and be done wi= th it. Since it won't be useful to have escape_var or escape_input type of d= ifferentiation and this seems like it could just fit under the string family= of functions (I am a fan of namespaced functions by prefix) After that it seems like the discussion would be: 1) do we even need encoding or is UTF8 just fine 2) what are the flags to be defined for different escaping methods $.02