Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63146
Return-Path: <leight@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 57603 invoked from network); 19 Sep 2012 16:15:27 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Sep 2012 16:15:27 -0000
Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.170 as permitted sender)
X-PHP-List-Original-Sender: leight@gmail.com
X-Host-Fingerprint: 209.85.216.170 mail-qc0-f170.google.com  
Received: from [209.85.216.170] ([209.85.216.170:47666] helo=mail-qc0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 41/77-15057-E9FE9505 for <internals@lists.php.net>; Wed, 19 Sep 2012 12:15:26 -0400
Received: by qcad42 with SMTP id d42so1031905qca.29
        for <internals@lists.php.net>; Wed, 19 Sep 2012 09:15:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=XWj8empPOKq85vUmq1Qkv7VuBJr8lYX1wiinERH62BA=;
        b=pKjj/ETGutiE7vuWWRi5dqVowGowfyu3ElFgNPtPZVwRbdVeCi0zlGXW5pu5b4KbL1
         /wwNnbvs+TvQbUyYWQXBos+zc0wwsk1qmdbth/x27N7MYidyF4wKhtTNVZw5f4RKfTGn
         Lpmj3XqDRRySnRI5HsLwSVYEHsYthqFNe6eGyp9zeCSVDVfYKwaNAbiIRNL5dOcUlmCD
         mp2TbS22pNjgyT+0JAWkdcvQmEQ3BwJG7x8u4OQt3qlGNTptGF4OyOGqMM91z/edcdDZ
         n3uSH3svBtFcnv6ESIfpnvHYeV9DZgQL1nqqrSWs79xlO0zl5wDj1OT3LU3P2TZmGKb2
         5jOw==
MIME-Version: 1.0
Received: by 10.224.18.209 with SMTP id x17mr8249586qaa.15.1348071323320; Wed,
 19 Sep 2012 09:15:23 -0700 (PDT)
Received: by 10.49.96.40 with HTTP; Wed, 19 Sep 2012 09:15:23 -0700 (PDT)
In-Reply-To: <72B22976-6F00-4EF5-88B3-140576CFE4E7@gmail.com>
References: <CAO1hux8mmUsy4badiNjxTGMubaduD1gkgbw4ZK1Me_MwGwLybA@mail.gmail.com>
	<CALtuQzC4e2Sn_BHinFAPdVrz8Oc_d6wCqTr=AscMChH29NSENw@mail.gmail.com>
	<CAO1hux9+4QK2sVX9+4110ksa9qDpUpfDhFJvyzkXcBHrFoFWvg@mail.gmail.com>
	<0960EAA5-17FF-4E0F-9DDE-BB93D13EA02B@gmail.com>
	<CAO1hux9t9refYHYnKhY0725MvRm88ab85Ng23LCvnjDJxqQA7g@mail.gmail.com>
	<CALwr1GnjjjMbK8-VkVO57meDAgDn8PSPoWdj2DjYMB7F01dP4Q@mail.gmail.com>
	<CAPwsocGs=5-JfpSSewDRaNC0KaoNF1okBD8-E27fx5U=9f6sgw@mail.gmail.com>
	<72B22976-6F00-4EF5-88B3-140576CFE4E7@gmail.com>
Date: Wed, 19 Sep 2012 17:15:23 +0100
Message-ID: <CAPwsocH+7DDgK5P=dmtsBXZjtOXzpnLNge0tUGDXw5EbPiWASA@mail.gmail.com>
To: Michael Shadle <mike503@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Re: RFC: Implementing a core anti-XSS escaping class
From: leight@gmail.com (Leigh)

> Call it str_escape(string, flags optional, encoding optional) and be done with it.

Keeping it simple definitely preferred

> 1) do we even need encoding or is UTF8 just fine

Definitely need encoding.

mbstring supports quite a lot

http://php.net/manual/en/mbstring.supported-encodings.php

I think you'd need to at least approximately match those encodings,
perhaps there is code already there that can be depended upon?