Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94102
Return-Path: <michael.vostrikov@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 25664 invoked from network); 18 Jun 2016 04:30:40 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Jun 2016 04:30:40 -0000
Authentication-Results: pb1.pair.com smtp.mail=michael.vostrikov@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=michael.vostrikov@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.182 as permitted sender)
X-PHP-List-Original-Sender: michael.vostrikov@gmail.com
X-Host-Fingerprint: 209.85.220.182 mail-qk0-f182.google.com  
Received: from [209.85.220.182] ([209.85.220.182:35251] helo=mail-qk0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8D/D0-18862-F6EC4675 for <internals@lists.php.net>; Sat, 18 Jun 2016 00:30:39 -0400
Received: by mail-qk0-f182.google.com with SMTP id c73so105828084qkg.2
        for <internals@lists.php.net>; Fri, 17 Jun 2016 21:30:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=pUef9H4AFGR6y8vSR4Q/1NAnHnOGhsUjATB7txH2BSc=;
        b=FlJ9eSpFPemWb5O17qkLkNOcmtfZo7NvgzxSN/Ojs1S1cyS2LItOD3J7JkIsZoaR9Y
         trX/jKoeysLV0uZ7k0hjypx2XRZ1s8e7P0b69mJbiHLzvI8AB6kFoNIEDk/C/dbsMfwr
         FVZePrPv4Duj3jLUc/qGCak39nD1j6tzyHbhl/SvGDM4PsWJ97x2qeL8TUcfqZWDoQso
         o+F50K7YQL3KkCPVGDM7vF6BXiKZt2C9P9UOdcTAcnPxOMpkhz2tSzLyA2lsx2rII04E
         Mkuh8ANytIqTpRzlC/EXqnuPorAMkZtZYFhONNYSZSGxxeWKKwRiiFDN0VCRHqfRj2w0
         u67w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=pUef9H4AFGR6y8vSR4Q/1NAnHnOGhsUjATB7txH2BSc=;
        b=fcQSvHiRHCbMOGiw90dknVd/jabWihNttZAbc25DY0QLbMx4PXdod7AvyROawNywzt
         CAbtxWyOsb3qMRRtzaXJhPltSzYcLlD9Rp/eQqFs9R4hh7ATzHgVhiuUtuUaq7NiSNjx
         Ec/T9bVD5AjG4+WxPPpX7W+U03QmFAAJ9+2fYQ8r1XGTH4gFAnKS2db/rvO5NvSVjkyv
         c+kKfvdVzKELZm2oag9kXzaSQCArQRp91+jApCnFHO1ffvRPIXP0Z0O1PmU87WGNpXFL
         jOamvw70etbNB96E/cYwLisi8b/QGAkkRulcMSgS6zCm2NluBQj9I48yUCxQaK8q457m
         2teA==
X-Gm-Message-State: ALyK8tLr25UejE34B8QycUdl+QzfaseOHecxZChf/y37qn2/0aqUvIhEzS9DlloiAvVPN7lnV2hsCvEwZMkKig==
X-Received: by 10.200.41.122 with SMTP id z55mr6781953qtz.34.1466224236474;
 Fri, 17 Jun 2016 21:30:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.53.71 with HTTP; Fri, 17 Jun 2016 21:30:36 -0700 (PDT)
In-Reply-To: <20160617223233.9F87B1A82559@dd1730.kasserver.com>
References: <CAEDdnaX_KbaZB=3WzFAp73E0dCxx5zuoqMbPbakMUGpHyRPJFg@mail.gmail.com>
 <b9318b90-f850-12a2-459d-8995220922df@gmail.com> <20160617202344.2868F1A80C02@dd1730.kasserver.com>
 <CAObuZdvZoACWE1bxz2PUMW+yXHxyEtXuYpPXL=6dEqrsakSNBQ@mail.gmail.com> <20160617223233.9F87B1A82559@dd1730.kasserver.com>
Date: Sat, 18 Jun 2016 09:30:36 +0500
Message-ID: <CAEDdnaVyJxxGF9GnpnPGVh1amWMeyH2Z=Rv4auXNjc7zvG2C1g@mail.gmail.com>
To: Thomas Bley <mails@thomasbley.de>
Cc: derokorian@gmail.com, internals@lists.php.net, smalyshev@gmail.com
Content-Type: multipart/alternative; boundary=001a11409368c6b51c053585ee27
Subject: Re: [PHP-DEV] New escaped output operator
From: michael.vostrikov@gmail.com (=?UTF-8?B?0JzQuNGF0LDQuNC7INCS0L7RgdGC0YDQuNC60L7Qsg==?=)

--001a11409368c6b51c053585ee27
Content-Type: text/plain; charset=UTF-8

> e.g. it won't protect you from XSS if you ever place user-controlled data
in HTML attributes.

As I've found, such an XSS can have a place in the code like this:

$xss = "');your_code_here();//";
<div onmouseover="alert('<?php echo htmlspecialchars($xss, ENT_QUOTES,
'UTF-8') ?>')">

I think this is more architectural problem, not an escaping problem. This
is very special case when we really need it.


> If you are in a HTML context you need different escaping than you need in
a CSS or JS block.
For JS it's better to use json_encode(). And I've never met CSS+PHP output,
this is some special case.


> would be misleading people into thinking this operator is generic and can
be used in all contexts safely.
I don't think that many programmers can think so. Anyway, this can be
menthioned in documentation.


> The escaping should also be aware of the content encoding.
For special cases  - e.g. when we use one encoding and need to output a
value in another encoding - htmlspecialchars() still can be used.


> Sure you can implement that in userland, but people don't do it or make
it too complicated,
> so you get every day code with unescaped stuff.
Yes. This is the main problem.


Almost each echo operator is an output of data from database, usually this
is an entity property if the ORM is used or an array key if isn't. I'm not
talking about fully functional escaping operator for all cases, just for
most often case - output a value into HTML document. If we have a shorcut
for "<?php echo $value; ?>" then we also need a shortcut for "<?php echo
htmlspecialchars($value, ENT_QUOTES); ?>", because PHP is a web-programming
language. I think this operator can make many projects more safer.


2016-06-18 3:32 GMT+05:00 Thomas Bley <mails@thomasbley.de>:

> Sure you can implement that in userland, but people don't do it or make it
> too complicated,
> so you get every day code with unescaped stuff.
>
> Regards
> Thomas
>
> Ryan Pallas wrote on 18.06.2016 00:27:
>
> >
> >
> > On Fri, Jun 17, 2016 at 2:23 PM, Thomas Bley <mails@thomasbley.de
> <mailto:mails@thomasbley.de> > wrote:
> >> you can simply add the context to the current output operator:
> >> <?=html($str) ?>
> >> <?=attr($str) ?>
> >> <?=text($str) ?> (=strip_tags)
> >> <?=js($str) ?>
> >> <?=css($str) ?>
> >
> >
> > Look at that. Add a couple parens and its completely implementable in
> userland now with no language changes required.
> >
> >
> >> Regards
> >> Thomas
> >>
> >>
> >> Stanislav Malyshev wrote on 17.06.2016 22:14:
> >>
> >> > Hi!
> >> >
> >> >> Most of output code is an output of properties of database entities,
> and
> >> >> only in some cases it's needed to concatenate HTML into string and
> then
> >> >> print it with unescaped output. Escaped output operator can be
> useful. Also
> >> >> we output data not into the void and not into simple text file, but
> into
> >> >> HTML-document which has a certain format (markup). Also this is
> logical -
> >> >> to have both forms, escaped and unescaped.
> >> >
> >> > This has been discussed on the list a number of times. Main issue with
> >> > this kind of proposals is that escaping is context-dependent. E.g.
> >> > htmlspecialchars() would not help you in many scenarios - e.g. it
> won't
> >> > protect you from XSS if you ever place user-controlled data in HTML
> >> > attributes. Having operator for each of the possible contexts does not
> >> > really looks feasible, and having it for only one of them and not the
> >> > others would be misleading people into thinking this operator is
> generic
> >> > and can be used in all contexts safely.
> >> >
> >> > --
> >> > Stas Malyshev
> >> > smalyshev@gmail.com <mailto:smalyshev@gmail.com>
> >> >
> >> > --
> >> > PHP Internals - PHP Runtime Development Mailing List
> >> > To unsubscribe, visit: http://www.php.net/unsub.php <
> http://www.php.net/unsub.php>
> >> >
> >>
> >>
> >> --
> >> PHP Internals - PHP Runtime Development Mailing List
> >> To unsubscribe, visit: http://www.php.net/unsub.php <
> http://www.php.net/unsub.php>
> >>
> >>
>

--001a11409368c6b51c053585ee27--