Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:86837 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 56817 invoked from network); 24 Jun 2015 09:21:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Jun 2015 09:21:00 -0000 Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.218.46 as permitted sender) X-PHP-List-Original-Sender: narf@devilix.net X-Host-Fingerprint: 209.85.218.46 mail-oi0-f46.google.com Received: from [209.85.218.46] ([209.85.218.46:35584] helo=mail-oi0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D2/10-55790-B767A855 for ; Wed, 24 Jun 2015 05:21:00 -0400 Received: by oiax193 with SMTP id x193so25735902oia.2 for ; Wed, 24 Jun 2015 02:20:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6TK8nJ0fLRB9u0eR8ehglYv9ctAkk9L76okZRHLalAg=; b=tbUl724CfPsUeV6UO56j26ReyGn8hcDa01gpyHD4r3nsA6HrGs4hos2VMVlkRsfIHd Lb6px8vugc7mMOtKOj8g25v3P3SnYuHb698I63VLLHnpShMrUNchpLC8eL2OIp1u2O2C 0p8VbZ0dR8NSGxSlJzXiVPiSHQ3BdZ9tJvO5I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=6TK8nJ0fLRB9u0eR8ehglYv9ctAkk9L76okZRHLalAg=; b=A5fmbQeoiYMtetEVeZ1MnhaFA7t5geHAPoR09J44gjI8y+/aKqVdP4JRQe/QpVGJCS x58nOpyCOySFnMTGzTiebcl+S2Hg6n9CzQGrMKappvDOxicaY5dbcuURBVMNH6+XRkJT l/92ntbO4TF6J39hWKa1riOJwws5WrpNHCt6wmWummK3+ELyiMguo0VhFM+nJivdZQEv TX0bEYhYxlsv9+rHfYC3mSKIDk5PJmapGaNaOJGHIWfKTUV3CEpiTJAT/ZR5m6rZr9NR kJ7c0NhGOZkaPZYbWsuel0aAFqeVu6Senfk1zXm9H54cawVMtXBPTbE6s4eLrglYd5Rb y1nQ== X-Gm-Message-State: ALoCoQkg2wk51CsWcv7vzDzdEJ11XzC37zMQUmZKpxr5Wv1GI56fwF12EKbiOI11dW7VklwoZp1J MIME-Version: 1.0 X-Received: by 10.202.200.131 with SMTP id y125mr31503383oif.20.1435137656795; Wed, 24 Jun 2015 02:20:56 -0700 (PDT) Received: by 10.202.134.78 with HTTP; Wed, 24 Jun 2015 02:20:56 -0700 (PDT) In-Reply-To: References: Date: Wed, 24 Jun 2015 12:20:56 +0300 Message-ID: To: Yasuo Ohgaki Cc: Xinchen Hui , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Optimizing php_html_entities() From: narf@devilix.net (Andrey Andreev) Hi, On Wed, Jun 24, 2015 at 5:49 AM, Yasuo Ohgaki wrote: > Hi Xinchen, > > On Wed, Jun 24, 2015 at 11:42 AM, Xinchen Hui wrote: > >> and for the "age" usage you replied in github, I think the author of >> such codes should be aware, if it's only number, then instead of >> htmlespcicalchars($age), he should use echo $age directly... which is >> more faster. >> > > To build secure apps, users MUST escape everything for the context by > _default_. > Selective escaping is the cause of injection vulnerability especially with > language like > PHP. > > Principle is "Don't think, escape all (for the context)". > The key word here is "context" ... you know that there's nothing to escape for an integer, because the type is your context. Selective escaping isn't a problem by itself, but that many people use a blacklist approach instead of a whitelist one; and you can only fix that with education. Cheers, Andrey.