Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94114
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 4725 invoked from network); 19 Jun 2016 08:56:27 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Jun 2016 08:56:27 -0000
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.230 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.230 mail4-3.serversure.net Linux 2.6
Received: from [217.147.176.230] ([217.147.176.230:43335] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F8/58-18862-93E56675 for <internals@lists.php.net>; Sun, 19 Jun 2016 04:56:26 -0400
Received: (qmail 5351 invoked by uid 89); 19 Jun 2016 08:56:22 -0000
Received: by simscan 1.3.1 ppid: 5345, pid: 5348, t: 0.0732s
         scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677
Received: from unknown (HELO ?10.0.0.7?) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 19 Jun 2016 08:56:22 -0000
To: internals@lists.php.net
References: <CAEDdnaX_KbaZB=3WzFAp73E0dCxx5zuoqMbPbakMUGpHyRPJFg@mail.gmail.com>
 <b9318b90-f850-12a2-459d-8995220922df@gmail.com>
 <20160617202344.2868F1A80C02@dd1730.kasserver.com>
 <CAObuZdvZoACWE1bxz2PUMW+yXHxyEtXuYpPXL=6dEqrsakSNBQ@mail.gmail.com>
 <CADqTB_ijxN_ZVcAdLrpnejtYNO2x6Z1Q4PcnARCRE+etDuhF3w@mail.gmail.com>
 <CANUQDCjgSohsYWmkWOLfdL+9Jzio_uY-vnYVc4fzd6kmGaL46g@mail.gmail.com>
 <CADyq6sJmj=bnN+65-59UrsJuuc8dYxP3HPqNOktjnRFexcFVWA@mail.gmail.com>
 <CAEDdnaUz3_6sVN07G+KF15B0avDoTV85UiR1mLie-F3orMrUog@mail.gmail.com>
Message-ID: <57665E36.60302@lsces.co.uk>
Date: Sun, 19 Jun 2016 09:56:22 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.7.0
MIME-Version: 1.0
In-Reply-To: <CAEDdnaUz3_6sVN07G+KF15B0avDoTV85UiR1mLie-F3orMrUog@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] New escaped output operator
From: lester@lsces.co.uk (Lester Caine)

On 19/06/16 09:38, Михаил Востриков wrote:
> My point is
> that the main job of echo operator "<?= ?>" is output an unknown value from
> database to an HTML environment. So in all this places we should copy-pase
> the call of htmlspecialchars() to prevent XSS.

The majority of XSS problems are created because the free format input
INTO the application are not correctly handled. Simply banging
htmlspecialchars() around totally unmanaged text is NOT the solution,
and handling the correct filtering of the inputs is where this should be
handled.

I'm sure all of you see various attempts at XSS and SQL injections in
your log files. About 20% of my overnight traffic is people trying to
'get in' but because I do not allow raw text to get through all it
results in is errors in the log files.

The packages that we have had problems cleaning up have tried using the
'clean the output' approach, but this STILL left holes which can only be
fixed by cleaning the input ...

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk