Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:91816 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 1118 invoked from network); 21 Mar 2016 13:01:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Mar 2016 13:01:07 -0000 Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.215.10 cause and error) X-PHP-List-Original-Sender: johannes@schlueters.de X-Host-Fingerprint: 217.114.215.10 mail.experimentalworks.net Received: from [217.114.215.10] ([217.114.215.10:56213] helo=mail.experimentalworks.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BD/71-25142-190FFE65 for ; Mon, 21 Mar 2016 08:01:06 -0500 Received: by mail.experimentalworks.net (Postfix, from userid 1003) id E28FC459CB; Mon, 21 Mar 2016 14:01:03 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on km31408.keymachine.de X-Spam-Level: X-Spam-Status: No, score=-1.0 required=4.0 tests=ALL_TRUSTED autolearn=unavailable autolearn_force=no version=3.4.0 X-Spam-HAM-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP Received: from [192.168.2.34] (ppp-46-244-191-240.dynamic.mnet-online.de [46.244.191.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: johannes@schlueters.de) by mail.experimentalworks.net (Postfix) with ESMTPSA id C2A12459C7; Mon, 21 Mar 2016 14:01:01 +0100 (CET) Message-ID: <1458565256.1034.12.camel@kuechenschabe> To: Chris Riley Cc: Rowan Collins , PHP internals Date: Mon, 21 Mar 2016 14:00:56 +0100 In-Reply-To: References: <56EFE897.3070804@gmail.com> Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-a5n+0zqBh7x4McFB61jW" X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Subject: Re: [PHP-DEV] RFC about automatic template escaping From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=) --=-a5n+0zqBh7x4McFB61jW Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, basically I agree to you while I see the issue, but I don't think this is the solution (it might have been a solution if introduced 20 years ago, making it "secure by default" and let users opt-out where needed, but now might lead to a BC hell now) But a comment here: On Mon, 2016-03-21 at 12:42 +0000, Chris Riley wrote: > 2. Relying on an ini setting for security is a bad idea: we did that > with > magic quotes and look how that turned out. One can't fully compare this: magic_quotes happened before the script started. Thus the setting was outside the control of the script. With this feature it is under the control of the script. You can do ini_set() at the beginning of the script to enforce what your app needs. (while writing libraries which are generating output in a portable way will be harder). With magic_quotes the only way where these foreach ($_GET) { stripslashes } loops which often had bugs (recursion related) johannes --=-a5n+0zqBh7x4McFB61jW Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAABAgAGBQJW7/CJAAoJEH3sTmn8nIPXQAQH/RoqOCquHA416ZLH2In+1jhi hmcKZMMVPklRovtkygfbMRdv3NBDCJ8hkRZbxhKcz619ELXQGn9UMhwsJTGLnyL/ sg99u/i/DYhOJoe0ZCoFggfuF533AZ68mCiK0gVW4VNPvt9Iy02ex5mCDSUi3712 0X7K2FZaQIwlHw38w65vdly9BeXaSXHG5/SaWufhc6uXWSMSKrTn2Oo/erJrAevH Ewb0xSD/ELkUYND44KEpBbht6MvFDXBEWraVK54paAgN9F3mClek5NLotKDh2dj3 WjSzVGYK3xolvtgFTzIGk/dJZWregH42qN9BslSxxDxJjLXDzEjsQvuX8PQhS40= =zAyz -----END PGP SIGNATURE----- --=-a5n+0zqBh7x4McFB61jW--