Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63175 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 36899 invoked from network); 19 Sep 2012 21:48:15 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Sep 2012 21:48:15 -0000 Authentication-Results: pb1.pair.com smtp.mail=mike503@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=mike503@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender) X-PHP-List-Original-Sender: mike503@gmail.com X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com Received: from [209.85.160.42] ([209.85.160.42:47050] helo=mail-pb0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E0/27-15057-E9D3A505 for ; Wed, 19 Sep 2012 17:48:15 -0400 Received: by pbbrp8 with SMTP id rp8so3462602pbb.29 for ; Wed, 19 Sep 2012 14:48:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=xsxabBoyq5rUTX3ktm1TRWQecI3R0RaRtaTnWbx9mMY=; b=Qyq+7t83ZCO3l7DVRxWhStQCzMfRiRtGwSWO9IEKTp0WLov1faUUEqOc6Pw6TDWXiW MnHqYYOG1m1s00DAMK/94UXjWFlIpzh2dqQgdOZ6WdZtZuP2+vDpzCF6p0+Qd2Y5274I HHhEHJRsgT8ZzQkjynUDBdArh1HKkPEqc3FzeS5LEyJxpNPJgGbyNiPmw22rju1n7+wz PgW2r990dK2ZZT0GRAe8v0XwVzL9IMI8wJN61LsP09T4FI1oQmaw4zNUuyhHU3JpY+ZU CZ5jC46Xqyv2jjdjnXgYcwfsuao5RWcPq6xXLSacedzOdNaqrmfkpqBURydoovwakbZK 1o4w== MIME-Version: 1.0 Received: by 10.68.218.100 with SMTP id pf4mr1313649pbc.122.1348091291579; Wed, 19 Sep 2012 14:48:11 -0700 (PDT) Received: by 10.68.12.167 with HTTP; Wed, 19 Sep 2012 14:48:11 -0700 (PDT) In-Reply-To: References: <0AC6EB13-3588-403B-BE73-968F12C7B7AF@gmail.com> Date: Wed, 19 Sep 2012 14:48:11 -0700 Message-ID: To: =?UTF-8?Q?P=C3=A1draic_Brady?= Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: mike503@gmail.com (Michael Shadle) On Tue, Sep 18, 2012 at 10:32 AM, P=C3=A1draic Brady wrote: > Hi Michael, > > See the link near the bottom of the RFC - even htmlspecialchars() has > unusual behaviour that's potentially insecure. I have no objections to > there being functions, of course, and the RFC makes that clear. > However, many programmers like me are obsessed are objects so having > an SPL class will obviously be near and dear to my design patterned > heart ;). After looking over the RFC finally, would it be that crazy to consider this an extension of the standard string functions? str_escape($string, $encoding, $flags) or probably better str_escape($string, $flags, $encoding) - since encoding could be defaulted to UTF-8, but flags are really what differentiate the behavior... Then there is not a handful of functions but rather one that can be used as the abstraction point and the flags passed to it will change it's behavior, much like the filter functions. (I just see this falling under one solid defacto escape function standard, and it could live by itself as "escape" or something, or as it operates on strings, prefix it as such)