Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63205
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 63798 invoked from network); 20 Sep 2012 14:05:20 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Sep 2012 14:05:20 -0000
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 213.123.26.185 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 213.123.26.185 c2beaomr07.btconnect.com  
Received: from [213.123.26.185] ([213.123.26.185:44411] helo=mail.btconnect.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2E/6C-15057-D922B505 for <internals@lists.php.net>; Thu, 20 Sep 2012 10:05:18 -0400
Received: from host81-138-11-136.in-addr.btopenworld.com (EHLO _10.0.0.5_) ([81.138.11.136])
	by c2beaomr07.btconnect.com
	with ESMTP id JBV95178;
	Thu, 20 Sep 2012 15:05:14 +0100 (BST)
Message-ID: <505B2299.7060703@lsces.co.uk>
Date: Thu, 20 Sep 2012 15:05:13 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120826 Firefox/15.0 SeaMonkey/2.12
MIME-Version: 1.0
To: PHP internals <internals@lists.php.net>
References: <505AEB97.8010303@lsces.co.uk> <CALwr1GkYQ9D1ucU_dL2hBoDNKaei+wA8Q=sD=VaGC=LakBjuHg@mail.gmail.com> <505B124A.8070309@lsces.co.uk> <CAPwsocFUeCaPG-sx5fuGh__bkJPdV7k25NcXpnJkyvNK+ZBWfg@mail.gmail.com> <CAH-PCH5UDvWZRq62V3YF+msap=ia62_zAStr0Sz2MzbWKsHzaQ@mail.gmail.com>
In-Reply-To: <CAH-PCH5UDvWZRq62V3YF+msap=ia62_zAStr0Sz2MzbWKsHzaQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Mirapoint-IP-Reputation: reputation=Fair-1,
	source=Queried,
	refid=tid=0001.0A0B0303.505B229A.0042,
	actions=tag
X-Junkmail-Premium-Raw: score=7/50,
	refid=2.7.2:2012.9.20.133915:17:7.944,
	ip=81.138.11.136,
	rules=__MOZILLA_MSGID,
		__HAS_MSGID,
		__SANE_MSGID,
		__HAS_FROM,
		__USER_AGENT,
		__MIME_VERSION,
		__TO_MALFORMED_2,
		__BOUNCE_CHALLENGE_SUBJ,
		__BOUNCE_NDR_SUBJ_EXEMPT,
		__SUBJ_ALPHA_END,
		__CT,
		__CT_TEXT_PLAIN,
		__CTE,
		__ANY_URI,
		__URI_NO_MAILTO,
		__URI_NO_WWW,
		__CP_URI_IN_BODY,
		BODY_ENDS_IN_URL,
		BODYTEXTP_SIZE_3000_LESS,
		BODY_SIZE_1600_1699,
		__MIME_TEXT_ONLY,
		RDNS_GENERIC_POOLED,
		HTML_00_01,
		HTML_00_10,
		BODY_SIZE_5000_LESS,
		RDNS_SUSP_GENERIC,
		RDNS_SUSP,
		BODY_SIZE_2000_LESS,
		BODY_SIZE_7000_LESS
X-Junkmail-Status: score=10/50, host=c2beaomr07.btconnect.com
X-Junkmail-Signature-Raw: score=unknown,
	refid=str=0001.0A0B0209.505B229A.0113:SCFSTAT14830815,ss=1,re=-4.000,fgs=0,
	ip=0.0.0.0,
	so=2011-07-25 19:15:43,
	dmn=2011-05-27 18:58:46,
	mode=multiengine
X-Junkmail-IWF: false
Subject: Re: [PHP-DEV] Decode, transcode, sanitize, filter, escape
From: lester@lsces.co.uk (Lester Caine)

Ferenc Kovacs wrote:
>      > My whole point here is identifying WHAT needs 'escaping'. You can't simply
>      > 'escape' the output stream, you still want html tags to get out?
>
>     This problem is specific to YOU, because (as far as I understood your
>     previous post) you decided to store big chunks of HTML in your data
>     store. It is not a problem with this proposal, or a problem in
>     general.
>
> more specifically: accepting HTML, but trying to allow some of the tags but
> still filtering most of it.
> HTMLPurifier is the tool for this kind of job, but most people would recommend
> using some kind of alternative markup format, like BBCode
> <http://en.wikipedia.org/wiki/BBCode>.

Which is another possible solution to the overall problem. Filter the incoming 
data in a different way :) I'm more than happy with my OWN methods of handling 
this problem, I was just point out that a LOT of people find ckeditor or one of 
the html in-line editors and think that is a good way to go ... that was how I 
started several years ago ... so I'm just putting my hand up and saying that 
simply creating an 'anti-XSS escaping class' may not work for some people. It is 
the whole package that is important.

( That is another tack on this was well Paddy )

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk