Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63173
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 13222 invoked from network); 19 Sep 2012 18:41:19 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Sep 2012 18:41:19 -0000
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com  
Received: from [209.85.160.42] ([209.85.160.42:33282] helo=mail-pb0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 80/53-15057-EC11A505 for <internals@lists.php.net>; Wed, 19 Sep 2012 14:41:18 -0400
Received: by pbbrp8 with SMTP id rp8so3115447pbb.29
        for <internals@lists.php.net>; Wed, 19 Sep 2012 11:41:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=ccSgXjIQIVAt4abPad9KruLhZMA3W+KsiKmhKmbNkJg=;
        b=mWruo+5LWbFvLqbMFOTkj+OEoPE5/lDsloTMo1eQnpQRZgxXqpjYagL6joWC/rVnrm
         ngL9T3RfwoeBrfs3O74d4HERLB5+4tZ+jHoHTaGFHCzchAPzReQId/tNEFtLKkLGsMp/
         ZgsxaPoQ4elyLS/Vgy901qQC44vKtjml4Y8q0eGxdkwhpWBsHD8jdd8EyM1VqC79i2d7
         A5YyE+cjRKuha/58Bpi+xFD/SPA4JrZbdc02sLrthdfoOG5nULEiHMXW6vSJ/y2qkzV9
         GWRyKAJUkgf3bR7aXfg/v2FJPL+EgPwAfd3c422zB/RzTksYOe4To1AtEJT2effXApdl
         ESQA==
MIME-Version: 1.0
Received: by 10.66.75.106 with SMTP id b10mr8813810paw.73.1348080075930; Wed,
 19 Sep 2012 11:41:15 -0700 (PDT)
Received: by 10.66.73.42 with HTTP; Wed, 19 Sep 2012 11:41:15 -0700 (PDT)
In-Reply-To: <505A0A30.9050806@mrclay.org>
References: <CALwr1Gn4OmHP=Qa7NKzpbkq+w8FEjUMZ3v678bbZVOGM23G35g@mail.gmail.com>
	<5058AD25.8010304@mrclay.org>
	<5058AFD7.7080703@ajf.me>
	<CALwr1GkgjB4NWEaWDb6QHpvqALhfn_ut=OLKVcWfKAzjdfePkQ@mail.gmail.com>
	<5059E3A2.3090805@ajf.me>
	<CALwr1Gm6KCHTDd0jQqkWTcOxFhxQXawZAyqhTzrkgp4eYY9W2Q@mail.gmail.com>
	<5059E74D.8080002@ajf.me>
	<CALwr1GmcrA8dJYfwog3PK8Lv1ZkdiaTBG2cFagRpfbc3xr2ONQ@mail.gmail.com>
	<505A0A30.9050806@mrclay.org>
Date: Wed, 19 Sep 2012 19:41:15 +0100
Message-ID: <CALwr1G=EGMmW+uZ1jhMjJZ-NiNx_hWxLs0jXFCDT+BBUmpkfCg@mail.gmail.com>
To: Steve Clay <steve@mrclay.org>
Cc: internals@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class
From: padraic.brady@gmail.com (=?ISO-8859-1?Q?P=E1draic_Brady?=)

Hi Steve,

The CSS escaping strategy would escape all non-alphanumerics to CSS
hex sequences ;). As a result, HTML escaping is not strictly
necessary.

Paddy

On Wed, Sep 19, 2012 at 7:08 PM, Steve Clay <steve@mrclay.org> wrote:
> On 9/19/12 1:48 PM, P=E1draic Brady wrote:
>>
>> <style>
>> body {
>>   background-color: <? echo $e->escapeCss('white'); ?>
>> }
>> </style>
>
>
> Hmmm, the following is a valid value:
>
> "</style><script>alert('xss')"
>
> ...for both the content and font-family CSS properties. Gotta love HTML!
>
> What would escapeCss do with them? Do we need to wrap in escapeHtml?
>
> Steve
> --
> http://www.mrclay.org/
>
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>



--=20
P=E1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team