Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:7648
Return-Path: <derick@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 47936 invoked by uid 1010); 8 Feb 2004 19:35:01 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 47887 invoked from network); 8 Feb 2004 19:35:00 -0000
Received: from unknown (HELO jdi.jdimedia.nl) (212.204.192.51)
  by pb1.pair.com with SMTP; 8 Feb 2004 19:35:00 -0000
Received: from localhost (localhost [127.0.0.1])
	by jdi.jdimedia.nl (8.12.10/8.12.10) with ESMTP id i18JYxr0025189
	for <internals@lists.php.net>; Sun, 8 Feb 2004 20:35:00 +0100
Date: Sun, 8 Feb 2004 20:33:40 +0100 (CET)
X-X-Sender: derick@localhost
To: PHP Developers Mailing List <internals@lists.php.net>
Message-ID: <Pine.LNX.4.58.0402051740510.14663@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Session SID and strip tags
From: derick@php.net (Derick Rethans)

Hey,

while reading the session documentation today
(en/reference/session/reference.xml) I noticed the following:

	To continue, <A HREF="nextpage.php?<?php echo strip_tags (SID)?>">click
	here</A>

	The strip_tags() is used when printing the SID in order to prevent XSS
	related attacks.

What's the point of having the SID support < and > anyway and can't we
just do the 'strip_tags' internally. The usage of strip_tags() in the
example is now needed, but it looks, well, kinda strange that it is
needed.

regards,
Derick