Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63176 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 57959 invoked from network); 20 Sep 2012 01:05:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Sep 2012 01:05:16 -0000 Authentication-Results: pb1.pair.com header.from=dragoonis@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=dragoonis@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.170 as permitted sender) X-PHP-List-Original-Sender: dragoonis@gmail.com X-Host-Fingerprint: 209.85.223.170 mail-ie0-f170.google.com Received: from [209.85.223.170] ([209.85.223.170:62835] helo=mail-ie0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FB/9A-15057-BCB6A505 for ; Wed, 19 Sep 2012 21:05:16 -0400 Received: by iebc12 with SMTP id c12so1287881ieb.29 for ; Wed, 19 Sep 2012 18:05:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=6kz8mAif4xj1HiYIO+JJ7bnO7qxypOFR0cnXVc3h+C4=; b=TPVh+t/zlKIHylEO2D8dGOB2MIOVKZjEeRKqTxygG3GoHHSyYb0/ZoqFSgPGozjJxI M/QqivypwRo50JIKzNqGm4ru7ptoDxTCtZIS9gX8ROitjRl2i7Gd0kAS3sw4FjvkfPhk zvF5fcDZ+0tOaw/AsBjkRyOJdQv4WfnB7pRC5r4g6mQICjltL0qdB7WaoxmJlV0y1mS3 Lz4nqlMO1/L3mFMuBkt0crObxBu4fWhxgBDE3IELIZ8tRAKCDlz+rcOEdR5A0WQnuh9z IpG1N441RmmkMsA8UWSXIig7qLpU73jzOvMHPWyHOskMA3rK8ibxLW+4Pu1B5PD8S4bL OmCw== MIME-Version: 1.0 Received: by 10.43.45.200 with SMTP id ul8mr183002icb.36.1348103112818; Wed, 19 Sep 2012 18:05:12 -0700 (PDT) Received: by 10.64.170.133 with HTTP; Wed, 19 Sep 2012 18:05:12 -0700 (PDT) In-Reply-To: References: <0AC6EB13-3588-403B-BE73-968F12C7B7AF@gmail.com> Date: Thu, 20 Sep 2012 02:05:12 +0100 Message-ID: To: Michael Shadle Cc: =?ISO-8859-1?Q?P=E1draic_Brady?= , "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: dragoonis@gmail.com (Paul Dragoonis) On Wed, Sep 19, 2012 at 10:48 PM, Michael Shadle wrote: > On Tue, Sep 18, 2012 at 10:32 AM, P=E1draic Brady wrote: >> Hi Michael, >> >> See the link near the bottom of the RFC - even htmlspecialchars() has >> unusual behaviour that's potentially insecure. I have no objections to >> there being functions, of course, and the RFC makes that clear. >> However, many programmers like me are obsessed are objects so having >> an SPL class will obviously be near and dear to my design patterned >> heart ;). > > After looking over the RFC finally, would it be that crazy to consider > this an extension of the standard string functions? > > str_escape($string, $encoding, $flags) or probably better > str_escape($string, $flags, $encoding) - since encoding could be I'm also proposing escape_var(), just like filter_var(). If it's str_escape() then that's still sane, it's consistent and that's all that matters. :-) - Paul. > defaulted to UTF-8, but flags are really what differentiate the > behavior... > > Then there is not a handful of functions but rather one that can be > used as the abstraction point and the flags passed to it will change > it's behavior, much like the filter functions. > > (I just see this falling under one solid defacto escape function > standard, and it could live by itself as "escape" or something, or as > it operates on strings, prefix it as such) > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >