Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63191 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 25386 invoked from network); 20 Sep 2012 10:11:18 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Sep 2012 10:11:18 -0000 Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender) X-PHP-List-Original-Sender: padraic.brady@gmail.com X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com Received: from [209.85.160.42] ([209.85.160.42:37443] helo=mail-pb0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E3/35-15057-4CBEA505 for ; Thu, 20 Sep 2012 06:11:17 -0400 Received: by pbbrp8 with SMTP id rp8so4687771pbb.29 for ; Thu, 20 Sep 2012 03:11:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=GGezcBxJNdwCdAVz64MlJtBQyrIhcsM84S0aoX5AYHQ=; b=o+QSk/XV5i0n2fimXDSi8kERNsyB9NAiN0nsN3rYd7CJ9XDGcFwnrpleiDK1hDzE+l 3Z6uFEJ05/kq9QBuKhWUpp1EWLTk+AXSFgz48Cofjpl6qVmsE0Z+4rPw3l7zvTMRenld 4ww13gpliXxw1PJTWgB+19XGhffb3y/KcJ5h+Ah+aYqq78/doecID/ocZDbW3ZXPj4P6 MXozcbieMMOC34BaJ+WHQvRAgD9ueHGsLvn6/q11M1tr47w0F5FWBYE1OEaxw38VEZMO JPP/0JmaxsSMxsEO77A2LqsVwFLab4CqOmGU5fcv6o3EiSxxYMp4R1iSlyQ2R1RCCHeX PCQA== MIME-Version: 1.0 Received: by 10.68.116.232 with SMTP id jz8mr5368985pbb.77.1348135873841; Thu, 20 Sep 2012 03:11:13 -0700 (PDT) Received: by 10.66.73.42 with HTTP; Thu, 20 Sep 2012 03:11:13 -0700 (PDT) In-Reply-To: References: <0AC6EB13-3588-403B-BE73-968F12C7B7AF@gmail.com> Date: Thu, 20 Sep 2012 11:11:13 +0100 Message-ID: To: Michael Shadle Cc: "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: padraic.brady@gmail.com (=?ISO-8859-1?Q?P=E1draic_Brady?=) Hi Michael, > After looking over the RFC finally, would it be that crazy to consider > this an extension of the standard string functions? > > str_escape($string, $encoding, $flags) or probably better > str_escape($string, $flags, $encoding) - since encoding could be > defaulted to UTF-8, but flags are really what differentiate the > behavior... > > Then there is not a handful of functions but rather one that can be > used as the abstraction point and the flags passed to it will change > it's behavior, much like the filter functions. > > (I just see this falling under one solid defacto escape function > standard, and it could live by itself as "escape" or something, or as > it operates on strings, prefix it as such) I think the filter_var() approach to using flags to switch core behaviour is flawed for any number of reasons but consider being a programmer writing PHP templates... htmlspecialchars($value, ENT_QUOTES|ENT_SUBSTITUTE, 'utf-8'); str_escape($string, ESCAPE_HTML_BODY, 'utf-8'); vs escape_html($value, 'utf-8'); $e->escapeHtml($value); Brevity and a clear meaning have their advantages. Paddy --=20 P=E1draic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team