Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63193
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 29082 invoked from network); 20 Sep 2012 10:25:27 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Sep 2012 10:25:27 -0000
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com  
Received: from [209.85.160.42] ([209.85.160.42:48327] helo=mail-pb0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 97/F5-15057-41FEA505 for <internals@lists.php.net>; Thu, 20 Sep 2012 06:25:25 -0400
Received: by pbbrp8 with SMTP id rp8so4711894pbb.29
        for <internals@lists.php.net>; Thu, 20 Sep 2012 03:25:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=hSQ702qjg63E8kfP0b4q0hlIiAdo2oh8HX+xi/kK8Io=;
        b=kvwTw2uGnIvkIFKOVimgldXLFx8E1XwccJdzZmej5zyp69hf1MD5J892I8NxxWLh4I
         obXHk4Hx5mUYBzx1DvfaQPm3Vc0DZOwbOA/TpHFXzcQt71Ck59nFOzdBpEKmnQZ7k3zi
         K9Ej1Xrc62d0YKPJ+xbhEzxenrNEIOaADgEzlZTp0B5tQ50nKGUlHLSW+yNMJNM/z5hO
         +dAVZz1BbQZfD6riJuSjkI6dE2XzHlCuh1SSIf+/9rCwSsvmquN//vWJC50nVkegWO/s
         1OP6FDCg3c+3Uw4gYsU/sEIrJh1cOsRehoKHUzwoei574iLPatEXN78l1hEATJ9HV8to
         GbFA==
MIME-Version: 1.0
Received: by 10.68.226.167 with SMTP id rt7mr5280470pbc.146.1348136722095;
 Thu, 20 Sep 2012 03:25:22 -0700 (PDT)
Received: by 10.68.54.68 with HTTP; Thu, 20 Sep 2012 03:25:22 -0700 (PDT)
In-Reply-To: <505AEB97.8010303@lsces.co.uk>
References: <505AEB97.8010303@lsces.co.uk>
Date: Thu, 20 Sep 2012 12:25:22 +0200
Message-ID: <CAH-PCH6ocZ4vUu3VgLgcQPzp7wBx1LO8vK3TJTQmS9YfD2d-WA@mail.gmail.com>
To: Lester Caine <lester@lsces.co.uk>
Cc: internals@lists.php.net
Content-Type: multipart/alternative; boundary=e89a8ff245c76dde5504ca1f8a86
Subject: Re: [PHP-DEV] Decode, transcode, sanitize, filter, escape
From: tyra3l@gmail.com (Ferenc Kovacs)

--e89a8ff245c76dde5504ca1f8a86
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

>
>
> My point here is that much of what is being discussed on 'a core anti-XSS
> escaping class' is missing the some of the basic problems and 'filtering'
> is my own take on the correct way of managing this!


and this is where you are wrong.
see
https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet#A_Posit=
ive_XSS_Prevention_Model
 and
https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet#Why_Can=
.27t_I_Just_HTML_Entity_Encode_Untrusted_Data.3F



> Many of the recent XSS holes have simply been the likes of the 'highlight=
'
> function is smarty which had no filtering at all ... and just needed
> sanitizing before anything was done with it.


you didn't experienced all of the possible contexts where an XSS
vulnerability can take place. this doesn't mean that those vectors doesn't
exists.


> This 'class' is purely targeting a small area of the problem and
> repackaging functions which still need the user to understand which
> 'filter' to apply to which string?


nope.
this class is targeting to provide the developers with a tool to safely
encode content into each possible context.

If it expected to simply apply a process to the output which will 'protect
> users' then it can never succeed.


escaping the output doesn't mean that you can't also filter the input
(usually they walk hand in hand: "filter in escape out")
you are the only one preaching here that half of that is an ok solution.
if you only filter the input, you cannot use more than one output context
without the risk of compromise, and you also put all your defense in the
belief that you data stored in your relational database (or cache, etc.) is
safely filtered.


> Te users need to understand just where to 'filter' the strings they are
> using and what filters to use.
>

yeah, that's one thing that we can't fix, as for properly encoding the
output you need to know the output context.


>
> Now if what is proposed is a 'class' that will decompose an html page wit=
h
> embeded css and js and magically remove any XSS injection then it might b=
e
> useful, and I think the creator of that would be in line for a Nobel pris=
e?


?
how does it relate to the current discussion


--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu

--e89a8ff245c76dde5504ca1f8a86--