Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:7846
Return-Path: <rasmus@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 41050 invoked by uid 1010); 15 Feb 2004 16:34:08 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 41026 invoked from network); 15 Feb 2004 16:34:08 -0000
Received: from unknown (HELO colo.lerdorf.com) (66.198.51.121)
  by pb1.pair.com with SMTP; 15 Feb 2004 16:34:08 -0000
Received: from [192.168.1.101] (c-24-6-1-90.client.comcast.net [24.6.1.90])
	by colo.lerdorf.com (8.12.11/8.12.11/Debian-1) with ESMTP id i1FGY61W005413;
	Sun, 15 Feb 2004 08:34:07 -0800
Date: Sun, 15 Feb 2004 08:34:02 -0800 (PST)
X-X-Sender: rasmus@thinkpad.lerdorf.com
To: Jan Lehnardt <jan@php.net>
cc: PHP Developers Mailing List <internals@lists.php.net>
In-Reply-To: <8853F4C6-5FB3-11D8-89CC-000A959DD3A4@php.net>
Message-ID: <Pine.LNX.4.58.0402150823500.1349@thinkpad.lerdorf.com>
References: <Pine.LNX.4.58.0402051740510.14663@localhost>
 <Pine.LNX.4.58.0402081224200.5237@thinkpad.lerdorf.com>
 <8853F4C6-5FB3-11D8-89CC-000A959DD3A4@php.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Status: No, hits=-4.3 required=5.0 tests=AWL,BAYES_00,HTML_MESSAGE 
	autolearn=ham version=2.63
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on colo
Subject: Re: [PHP-DEV] Session SID and strip tags
From: rasmus@php.net (Rasmus Lerdorf)

On Sun, 15 Feb 2004, Jan Lehnardt wrote:
> On 8 Feb 2004, at 21:26, Rasmus Lerdorf wrote:
> > Perhaps the real answer here is to turn on input filtering by default 
> > so
> > we defeat XSS once and for all across the board.
> 
> seems like nobody is interested. I'd like to see some sort
> of discussion on this. How would an actual implementation
> would or should look like in PHP 5? What are the benefits
> (obvious, but still), what are the drawbacks (partly obvious,
> but still)? Is it PHP's role to provide this kind of
> XSS prevention built-in or is it sufficient to give the
> possibility to add it by hand (like now)? What is
> internals' opinion on this?

I don't think there is any question that PHP should play a role in helping 
people solve XSS which is why I added it to PHP5.  However, as it is, the 
average person is not going to use it since it requires implementing the 
security policy in C.

Implementation-wise we could go all out and break everything.  Add a 
striptags-like filter to be applied to all remote input data and have an 
access function that lets you get the raw data.  So something like:

 input data POST data foo              : Hi <b>jan@php.net</b>
 what you see in $_POST['foo']         : Hi  jan@php.net 
 get_raw_data(POST, 'foo')             : Hi <b>jan@php.net</b>
 get_raw_data(POST, 'foo', MAIL_FILTER): jan@php.net

with various other filters possible along with user-supplied ones.

-Rasmus