Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:86845
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 75692 invoked from network); 24 Jun 2015 11:36:54 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Jun 2015 11:36:54 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.49 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.213.49 mail-yh0-f49.google.com  
Received: from [209.85.213.49] ([209.85.213.49:35865] helo=mail-yh0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A8/73-55790-4569A855 for <internals@lists.php.net>; Wed, 24 Jun 2015 07:36:53 -0400
Received: by yhan67 with SMTP id n67so15247521yha.3
        for <internals@lists.php.net>; Wed, 24 Jun 2015 04:36:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=yB6zAsT7cx5k60Phtd1mOeMoAGUQsCzetQKJYdLseZk=;
        b=qrPZ2WvzF2UV4cGlgCYbR+aFwK97kC33dT1KFmgKbtUKrYo6i0+mMj4l5zPzJAG0mX
         1Pfo58fDaLIRQCAXbsZ91vk/Bgwd4JgzLAYmjSGDoZyezZZ7UTBPBnqvR3U/lHFu9IC6
         XI1SBAHMS1yY3VpdMiv+y+XnLC4I5S54WLbItU/IpUWoKEKOgSQy4dJG8UXeP+iCsY8V
         t4+ajtPKt4JgT57uvGaomjxVm4NAbyaXqgmn5ppG9LAzZCW5YFSSvRxojmv+kHtyuC7h
         Bikdy269kO8Q6Xjq9FvE20woEguziRUtbyD3Z5xL3lNjQSrG8bziSg8hVdkh4aMfCQDh
         dCjg==
X-Received: by 10.129.97.5 with SMTP id v5mr25253895ywb.56.1435145810339; Wed,
 24 Jun 2015 04:36:50 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.129.48.129 with HTTP; Wed, 24 Jun 2015 04:36:10 -0700 (PDT)
In-Reply-To: <CAPhkiZxDvz4LDoQ+tGiV1LDq8Y0dqTkB8r8t46_oGgrdxmDSvA@mail.gmail.com>
References: <CAGa2bXa9x_BK9O78N_yvAVj7M5V0UEGsy3ch-VOimaqGaKUA3w@mail.gmail.com>
 <CABBJUpeaVXXJ-JJDP+oHUamuDGwM87Myvm4_0qXAh2cZn8rg3A@mail.gmail.com>
 <CAGa2bXYhCNJ_uNQCRbNRhFhfz7rViJ_THUMpA+rddm0fy7gAxQ@mail.gmail.com>
 <CABBJUpdJgHyEhCANQjiB=VrNA8=LFa_sCLr87aid33cH5GTNzw@mail.gmail.com>
 <CAGa2bXa4EZiVtSR=FOuVNR=VVPfrVO4Ri-A=b82AJ-Hc94cv5Q@mail.gmail.com>
 <CABBJUpdq8f95UHAgb7X+8VkrJjqRaBiXoxAxdKednjsCsO7oGA@mail.gmail.com>
 <CAGa2bXZrdniydE4GMqw1LxAU97WBoZUDP1AJxBhcuEiX-gfxYA@mail.gmail.com> <CAPhkiZxDvz4LDoQ+tGiV1LDq8Y0dqTkB8r8t46_oGgrdxmDSvA@mail.gmail.com>
Date: Wed, 24 Jun 2015 20:36:10 +0900
X-Google-Sender-Auth: EqYa7WMJJ7Ar-kS2SnfvM63GvBU
Message-ID: <CAGa2bXYx-uE_UYOcKtft_jnr22LPGzB1bTjmg1FZTCaWqVqEjQ@mail.gmail.com>
To: Andrey Andreev <narf@devilix.net>
Cc: Xinchen Hui <laruence@php.net>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1147585239eeea051941ec97
Subject: Re: [PHP-DEV] Optimizing php_html_entities()
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a1147585239eeea051941ec97
Content-Type: text/plain; charset=UTF-8

Hi Andrey,

On Wed, Jun 24, 2015 at 6:20 PM, Andrey Andreev <narf@devilix.net> wrote:

> On Wed, Jun 24, 2015 at 5:49 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> > Hi Xinchen,
> >
> > On Wed, Jun 24, 2015 at 11:42 AM, Xinchen Hui <laruence@php.net> wrote:
> >
> >> and for the "age" usage you replied in github, I think the author of
> >> such codes should be aware, if it's only number, then  instead of
> >> htmlespcicalchars($age),  he should use echo $age directly... which is
> >> more faster.
> >>
> >
> > To build secure apps, users MUST escape everything for the context by
> > _default_.
> > Selective escaping is the cause of injection vulnerability especially
> with
> > language like
> > PHP.
> >
> > Principle is "Don't think, escape all (for the context)".
> >
>
> The key word here is "context" ... you know that there's nothing to
> escape for an integer, because the type is your context.
>
> Selective escaping isn't a problem by itself, but that many people use
> a blacklist approach instead of a whitelist one; and you can only fix
> that with education.


Right and agree.

Selective escaping isn't a problem by itself, but people do mistake, make
wrong assumptions, use wrong blacklist approach. The same variable can
be generated by different code path/source. It could be very hard to assure
a variable is really a int/float without validation. If one would like to
make
sure what a variable is and skip escaping, they need something like

<td><?php echo is_numeric($var) ? $var : htmlspecialchars($var) ?></td>

It's much easier with unconditional escape everywhere like

<td><?php echo htmlspecialchars($var) ?><td>

if htmlspecialchars() is fast enough for int/float. (I'm not sure which one
is faster)

One example is SQLite that making sure variable type could be difficult.
SQLite can store string _regardless_ of type definition. If developers add
SQLite support, in addition to MySQL/PostgreSQL, they may create
attack vector if they don't escape unconditionally.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a1147585239eeea051941ec97--