Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:7649 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 34197 invoked by uid 1010); 8 Feb 2004 20:26:12 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 34160 invoked from network); 8 Feb 2004 20:26:12 -0000 Received: from unknown (HELO colo.lerdorf.com) (66.198.51.121) by pb1.pair.com with SMTP; 8 Feb 2004 20:26:12 -0000 Received: from [192.168.1.102] (c-24-6-131-48.client.comcast.net [24.6.131.48]) by colo.lerdorf.com (8.12.11/8.12.11/Debian-1) with ESMTP id i18KQ9gY012334; Sun, 8 Feb 2004 12:26:11 -0800 Date: Sun, 8 Feb 2004 12:26:01 -0800 (PST) X-X-Sender: rasmus@thinkpad.lerdorf.com To: Derick Rethans cc: PHP Developers Mailing List In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-4.1 required=5.0 tests=AWL,BAYES_00,CLICK_BELOW, HTML_MESSAGE autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on colo Subject: Re: [PHP-DEV] Session SID and strip tags From: rasmus@php.net (Rasmus Lerdorf) Perhaps the real answer here is to turn on input filtering by default so we defeat XSS once and for all across the board. On Sun, 8 Feb 2004, Derick Rethans wrote: > Hey, > > while reading the session documentation today > (en/reference/session/reference.xml) I noticed the following: > > To continue, click > here > > The strip_tags() is used when printing the SID in order to prevent XSS > related attacks. > > What's the point of having the SID support < and > anyway and can't we > just do the 'strip_tags' internally. The usage of strip_tags() in the > example is now needed, but it looks, well, kinda strange that it is > needed. > > regards, > Derick > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >