Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63202 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 53399 invoked from network); 20 Sep 2012 13:09:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Sep 2012 13:09:46 -0000 Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.170 as permitted sender) X-PHP-List-Original-Sender: leight@gmail.com X-Host-Fingerprint: 209.85.216.170 mail-qc0-f170.google.com Received: from [209.85.216.170] ([209.85.216.170:55886] helo=mail-qc0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E6/7A-15057-9951B505 for ; Thu, 20 Sep 2012 09:09:45 -0400 Received: by qcad42 with SMTP id d42so1837751qca.29 for ; Thu, 20 Sep 2012 06:09:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=cHDm6fkZszwo9JkXdaROzRdY1tuOD1lFhrzPAINmAFw=; b=IWv8Yj5rmozHhWLRikZiflqgU3LLgMFR6x33j59ii931SfpaYrhrsTv/SBxBdZ89ar FTpTi3UeUldgaSCiJWDv040QS5bICa+tbsQZTNlWb3Sm1xCtlKTprQC4X1mCqnFBWMIR IZBAQ4KEKF6Mxt72oO0pkrHFmHaJ3HB++Wu33waUySu/7cnu5soNDi7T2PMIePz/RH3k 92NJI79gRgNyIA8wyajZ+FjuYLSHcD0GUlzMjUL8wf+WHRK1QAXptP22JvJk9BgbtJTl NLTVu4Bn+0hHn0SHO8Uz1ZZ77EEWUvR48pB3F4SkbEPyafPlaFHh9clEumqXmtHt4/wR AyhQ== MIME-Version: 1.0 Received: by 10.224.220.138 with SMTP id hy10mr4483340qab.68.1348146583131; Thu, 20 Sep 2012 06:09:43 -0700 (PDT) Received: by 10.49.96.40 with HTTP; Thu, 20 Sep 2012 06:09:43 -0700 (PDT) In-Reply-To: <505B124A.8070309@lsces.co.uk> References: <505AEB97.8010303@lsces.co.uk> <505B124A.8070309@lsces.co.uk> Date: Thu, 20 Sep 2012 14:09:43 +0100 Message-ID: To: Lester Caine Cc: PHP internals Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] Decode, transcode, sanitize, filter, escape From: leight@gmail.com (Leigh) > My whole point here is identifying WHAT needs 'escaping'. You can't simply > 'escape' the output stream, you still want html tags to get out? This problem is specific to YOU, because (as far as I understood your previous post) you decided to store big chunks of HTML in your data store. It is not a problem with this proposal, or a problem in general. > Perhaps HTMLPurifier > should be a requirement everywhere, but then you need to 'pre-process' the > content so as to allow through the 'text' that you want to display which may > well be an example of a XSS attack? You can only apply 'escape' to elements > that you have identified as needing it and need to let through those that do > not. No, it should not be a requirement. Most people inject directly into attributes or into tags in a template fashion, they don't have to parse their own output, because they generate it in a sensible fashion. > It is the 'filtering' out of the material that needs processing that is > the problem? And I have no doubt that someone will find a hole that allows > them to sneak past the filtering? Again, your problem, not one with the escape function proposal. Also again, may I direct you to the general user list, and maybe someone there will feel like helping you with how to parse your HTML blobs, since this really isn't the concern of internals.