Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63210 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37370 invoked from network); 21 Sep 2012 06:32:03 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Sep 2012 06:32:03 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.210.170 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.210.170 mail-iy0-f170.google.com Received: from [209.85.210.170] ([209.85.210.170:57958] helo=mail-iy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6B/28-15057-2E90C505 for ; Fri, 21 Sep 2012 02:32:02 -0400 Received: by iamm10 with SMTP id m10so2643018iam.29 for ; Thu, 20 Sep 2012 23:31:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=TV9SB5EL/kHV8ZlCEFSTe7xWhJHLKVH4IqvTiDUgbWE=; b=UjeULhvlb5XvEof6C5WllxCpbSfWHDTVd71wz69QiEY7eGqHCi/bHbwcfzHDhAa83V o2zSKvenSou+/ijGWx9150r4hViatu78lDhGyrRtVsue8V0dhUkLOt9cd56mZ+Ntqwwk Bzrk4mEbHso8HdiC4WNXDd/yuGPRw/EjH3Pd7X3zdkrE9foSlyVKxhIv8ogO8U9qXTI5 15frmh+6s+3mA8SAe7ClHCP7D+veqttfST27RUi/YfEBt2h5wCP6Dnz5KZl0ra61dWtI 8uS4gQXyfR9Tl8ZW3UtRvFlMK1580WZlk+grvuELtYgAk6DCb/SdC5YYnA6urht8SMpR EfnQ== MIME-Version: 1.0 Received: by 10.50.202.8 with SMTP id ke8mr826745igc.6.1348209119588; Thu, 20 Sep 2012 23:31:59 -0700 (PDT) Received: by 10.64.89.41 with HTTP; Thu, 20 Sep 2012 23:31:59 -0700 (PDT) In-Reply-To: References: Date: Fri, 21 Sep 2012 08:31:59 +0200 Message-ID: To: =?ISO-8859-1?Q?P=E1draic_Brady?= Cc: internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: pierre.php@gmail.com (Pierre Joye) hi P=E1draic, Given the current discussions about the APIs (see my other reply too) and its usage, and that this proposal is non invasive/self contained in an extension, I would strongly suggest to already go with it in PECL, do releases (stay alpha until you have a very good feeling about the API stability), etc. It will also greatly help to get more feedback. Then it could be proposed again for being bundled at some point, before we go features freeze for 5.5. Cheers, On Tue, Sep 18, 2012 at 1:30 PM, P=E1draic Brady = wrote: > Hi all, > > I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper. > The RFC is a proposal to implement a standardised means of escaping > data which is being output into XML/HTML. > > Cross-Site Scripting remains one of the most common vulnerabilities in > web applications and there is a continued lack of understanding > surrounding how to properly escape data. To try and offset this, I've > written articles, attempted to raise awareness and wrote the > Zend\Escaper class for Zend Framework. Symfony 2's Twig has since > adopted similar measures in line with its own focus on security. > > That's all. The RFC should be self-explanatory and feel free to pepper > me with questions. As the RFC notes, I'm obviously not a C programmer > so I'm reliant on finding a volunteer who's willing to take this one > under their wing (or into their basement - whichever works). > > https://wiki.php.net/rfc/escaper > > Best regards, > Paddy > > -- > P=E1draic Brady > > http://blog.astrumfutura.com > http://www.survivethedeepend.com > Zend Framework Community Review Team > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > --=20 Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org