Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94113 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 2619 invoked from network); 19 Jun 2016 08:38:33 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Jun 2016 08:38:33 -0000 Authentication-Results: pb1.pair.com header.from=michael.vostrikov@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=michael.vostrikov@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.176 as permitted sender) X-PHP-List-Original-Sender: michael.vostrikov@gmail.com X-Host-Fingerprint: 209.85.220.176 mail-qk0-f176.google.com Received: from [209.85.220.176] ([209.85.220.176:36234] helo=mail-qk0-f176.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9F/F7-18862-80A56675 for ; Sun, 19 Jun 2016 04:38:33 -0400 Received: by mail-qk0-f176.google.com with SMTP id p10so129390777qke.3 for ; Sun, 19 Jun 2016 01:38:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+ZUBrg5DPTy4B36/AErEiSsWlfBqzI2da4Cr22j3cc0=; b=tWgPqvb9YZlKdVn5U0gkZ1bZQe28H+Et+pWJTf9vYh0IgF1Jry/0JQCLJphdIBhYsT tb1LjHLktL9kFFzFUWjJei9mU1kjJeokPBXZ4pYdbla8R1i93RiFfHR6r48sfpb+p61F o+ly1h/f2wbNlaGSVtJb2YcI/C7TnvvHcoa3ucwrkE2FKyMNLy7hNvlx3cmTX7nXMAZJ lHpNG7mxCckjyxtt/3mhqiLeHXBi9XEbOrrP2k0vLEnvNqF+o8nafsNUD69qwdjuxIZf BdVS69Db9f1+5iuCOlOZ1T8T6SWalqoMqtt+ZdnWaTVw9puqA1QaBhm7Kcs5BJqxRZXt jEuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+ZUBrg5DPTy4B36/AErEiSsWlfBqzI2da4Cr22j3cc0=; b=Uh7D8VL01FFonUkv4fM2JDHg+jGUrzzaypXV1VdOD5ghM9KPsGtRIWrXhf7rvxRRu/ Yu63C0clXzl6tUPxiStzhnBNaTsEQWAVBaRruXEF3IQE1ZYtbsJJAKXRIwz74mj8jnit zdrL357VdSpcroTF4jFTUZluMrxm/swSwHPAzXE33suXZXdlLqfAFbfHqqcqC2cWeB7r cDGD83UiybSWPCLNiynuO+QYErb+rZG8IRCd56Tk/+Ri1Dw7YI7heasEZiFPPwORYqiQ 4Hjy3+IsSRwkDzvlGKcO+RNQHqjd9m5sUd2i+WobjmxX1QA2I8Pqx1ZjKa6nLPELAoAl dL7A== X-Gm-Message-State: ALyK8tKppqrNvOJe3ljq/4rppo8RfodYAEw4IZy3IFhp3PWN/95gyPe8Em1V7vxyeiahtS0Z+SAs10AHDpSWbg== X-Received: by 10.237.33.35 with SMTP id 32mr14377232qtc.8.1466325510057; Sun, 19 Jun 2016 01:38:30 -0700 (PDT) MIME-Version: 1.0 Received: by 10.55.53.71 with HTTP; Sun, 19 Jun 2016 01:38:29 -0700 (PDT) In-Reply-To: References: <20160617202344.2868F1A80C02@dd1730.kasserver.com> Date: Sun, 19 Jun 2016 13:38:29 +0500 Message-ID: To: Marco Pivetta Cc: Niklas Keller , Rasmus Schultz , Ryan Pallas , Stanislav Malyshev , Thomas Bley , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=94eb2c0cbf1a26f36a05359d83bd Subject: Re: [PHP-DEV] New escaped output operator From: michael.vostrikov@gmail.com (=?UTF-8?B?0JzQuNGF0LDQuNC7INCS0L7RgdGC0YDQuNC60L7Qsg==?=) --94eb2c0cbf1a26f36a05359d83bd Content-Type: text/plain; charset=UTF-8 Guys, wait please) I don't suggest escaping package for all contexts and for all cases. This is not what I described in my first letter. My point is that the main job of echo operator "" is output an unknown value from database to an HTML environment. So in all this places we should copy-pase the call of htmlspecialchars() to prevent XSS. There are many projects which is written on custom engines, or frameworks, or CMS, and they does not have any templating engine, and there is no possibility to rewrite many working PHP templates to Twig, or Smarty, or something else. I suggest new simple operator "" which will automatically wrap the output value in htmlspecialchars(). It is intended specially for HTML, not for XML or JS. It does not require any php.ini settings, new classes or constants. The reason for implementing it is the same as for implementing "??", or "<=>", or "" operators - make better usual and often operations, descrease copy-paste, and increase security. I can implement it myself and send a patch. What do you think? 2016-06-19 12:59 GMT+05:00 Marco Pivetta : > On 19 June 2016 at 09:53, Niklas Keller wrote: > >> Rasmus Schultz schrieb am Sa., 18. Juni 2016, 17:44: >> >> Did you know that you can alias namespaces, too? >> >> >> >> >> You can always add more functions to a namespace even spread accross >> multiple files. >> > > Pro-userland: quick reminder that a `composer update` is much quicker than > a full system PHP version upgrade. > > I'd rather rely on an escaping package written in PHP, easier to maintain > and quicker to upgrade, than something that will likely use some obscure > shared library (or the PHP binary itself) that may not be upgraded for > weird reasons (it's shared, remember?). > > I know that you put a lot of effort in security maintenance, but it's > still easier to deal with this stuff in userland in any case, and most > templating languages in common frameworks already inject helpers in the > script context in order to achieve quick, effective and context-aware (no > automatic context detection) escaping. > > Marco Pivetta > > http://twitter.com/Ocramius > > http://ocramius.github.com/ > > --94eb2c0cbf1a26f36a05359d83bd--