Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:7652
Return-Path: <rasmus@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 28146 invoked by uid 1010); 8 Feb 2004 21:13:45 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 28090 invoked from network); 8 Feb 2004 21:13:45 -0000
Received: from unknown (HELO colo.lerdorf.com) (66.198.51.121)
  by pb1.pair.com with SMTP; 8 Feb 2004 21:13:45 -0000
Received: from [192.168.1.102] (c-24-6-131-48.client.comcast.net [24.6.131.48])
	by colo.lerdorf.com (8.12.11/8.12.11/Debian-1) with ESMTP id i18LDf5j017768;
	Sun, 8 Feb 2004 13:13:41 -0800
Date: Sun, 8 Feb 2004 13:13:33 -0800 (PST)
X-X-Sender: rasmus@thinkpad.lerdorf.com
To: Juan Alonso <dharana@dharana.net>
cc: PHP Developers Mailing List <internals@lists.php.net>
In-Reply-To: <1076278027.32598.3.camel@localhost>
Message-ID: <Pine.LNX.4.58.0402081313210.5237@thinkpad.lerdorf.com>
References: <Pine.LNX.4.58.0402051740510.14663@localhost> 
 <Pine.LNX.4.58.0402081224200.5237@thinkpad.lerdorf.com> <1076278027.32598.3.camel@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: QUOTED-PRINTABLE
X-Spam-Status: No, hits=-4.1 required=5.0 tests=AWL,BAYES_00,CLICK_BELOW,
	HTML_MESSAGE autolearn=no version=2.63
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on colo
Subject: Re: [PHP-DEV] Session SID and strip tags
From: rasmus@php.net (Rasmus Lerdorf)

Read README.input_filter in the php5 tree.

On Sun, 8 Feb 2004, Juan Alonso wrote:

> Excuse my ignorance Rasmus but how do we turn on input filtering now? (I
> will pretend I know what "input filtering" is)
>=20
> El dom, 08-02-2004 a las 20:26, Rasmus Lerdorf escribi=F3:
> > Perhaps the real answer here is to turn on input filtering by default s=
o=20
> > we defeat XSS once and for all across the board.
> >=20
> > On Sun, 8 Feb 2004, Derick Rethans wrote:
> >=20
> > > Hey,
> > >=20
> > > while reading the session documentation today
> > > (en/reference/session/reference.xml) I noticed the following:
> > >=20
> > > =09To continue, <A HREF=3D"nextpage.php?<?php echo strip_tags (SID)?>=
">click
> > > =09here</A>
> > >=20
> > > =09The strip_tags() is used when printing the SID in order to prevent=
 XSS
> > > =09related attacks.
> > >=20
> > > What's the point of having the SID support < and > anyway and can't w=
e
> > > just do the 'strip_tags' internally. The usage of strip_tags() in the
> > > example is now needed, but it looks, well, kinda strange that it is
> > > needed.
> > >=20
> > > regards,
> > > Derick
> > >=20
> > > --=20
> > > PHP Internals - PHP Runtime Development Mailing List
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >=20
> --=20
> This message represents the official view of the voices in my head
>=20