Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:7836
Return-Path: <jan@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 80681 invoked by uid 1010); 15 Feb 2004 12:36:33 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 80645 invoked from network); 15 Feb 2004 12:36:32 -0000
Received: from unknown (HELO jan.prima.de) (62.72.86.57)
  by pb1.pair.com with SMTP; 15 Feb 2004 12:36:32 -0000
Received: from [10.0.1.2] (pD9E132E6.dip.t-dialin.net [::ffff:217.225.50.230])
  (AUTH: LOGIN jan)
  by jan.prima.de with esmtp; Sun, 15 Feb 2004 12:36:28 +0000
In-Reply-To: <Pine.LNX.4.58.0402081224200.5237@thinkpad.lerdorf.com>
References: <Pine.LNX.4.58.0402051740510.14663@localhost> <Pine.LNX.4.58.0402081224200.5237@thinkpad.lerdorf.com>
Mime-Version: 1.0 (Apple Message framework v612)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-ID: <8853F4C6-5FB3-11D8-89CC-000A959DD3A4@php.net>
Content-Transfer-Encoding: 7bit
Cc: PHP Developers Mailing List <internals@lists.php.net>
Date: Sun, 15 Feb 2004 13:36:09 +0100
To: Rasmus Lerdorf <rasmus@php.net>
X-Mailer: Apple Mail (2.612)
Subject: Re: [PHP-DEV] Session SID and strip tags
From: jan@php.net (Jan Lehnardt)

Hi,
On 8 Feb 2004, at 21:26, Rasmus Lerdorf wrote:

> Perhaps the real answer here is to turn on input filtering by default 
> so
> we defeat XSS once and for all across the board.

seems like nobody is interested. I'd like to see some sort
of discussion on this. How would an actual implementation
would or should look like in PHP 5? What are the benefits
(obvious, but still), what are the drawbacks (partly obvious,
but still)? Is it PHP's role to provide this kind of
XSS prevention built-in or is it sufficient to give the
possibility to add it by hand (like now)? What is
internals' opinion on this?

Best regards,
Jan
--