Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94115
Return-Path: <ocramius@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6248 invoked from network); 19 Jun 2016 09:01:40 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Jun 2016 09:01:40 -0000
Authentication-Results: pb1.pair.com smtp.mail=ocramius@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ocramius@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.44 as permitted sender)
X-PHP-List-Original-Sender: ocramius@gmail.com
X-Host-Fingerprint: 74.125.82.44 mail-wm0-f44.google.com  
Received: from [74.125.82.44] ([74.125.82.44:38804] helo=mail-wm0-f44.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AF/A8-18862-37F56675 for <internals@lists.php.net>; Sun, 19 Jun 2016 05:01:39 -0400
Received: by mail-wm0-f44.google.com with SMTP id r201so23145573wme.1
        for <internals@lists.php.net>; Sun, 19 Jun 2016 02:01:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=DSpzkz4E0u4CZ8hFX18GauLZj8wIEtPCKmIc2yS64ro=;
        b=sHyNWc6U5A1xlT4XY55ZMy4gNI9YTkKhtYrPp7QrSaq+dq3c0VjkCq9Dhu6BIt30wZ
         B7jVaSC5S85KyK/SyV9IWML1tXzknSx2BzIFDZZKkFAuzgxnyGmhsdPTS1gx1twlzEmT
         oZtXyx0Xw6D8gfuM0HT3ERz51CaWx/U6ybVSKc7LvZymYO1+qYOEtZEglG3DPPe2U7zC
         gW3s6sH+PRGV4L77F9JWwn5TeN8XyvPG6oYflNgQC1SToBl9mjkk+w7f5TmuhdrnE6ki
         9EZmFXPBAPoO88Zw+XdO2wC6JoQuWDu4yybWPyzhOSicdswMv/BBsfgkHd2VedkOEeZL
         41VQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=DSpzkz4E0u4CZ8hFX18GauLZj8wIEtPCKmIc2yS64ro=;
        b=L/mrRvfTJNFo18R1pEO/Bh7jjAgqO7pvJXlnEyMsP8ikJTm1Wxp/hYq2v/WxwyYKWN
         /l6MdxlJjtes9OmnhXWpTRHP6WUUMDIYSHvrHu/W1DrHD8f4ieoQufGYFC7wBBDk2+cx
         BeIn5pY5Y22kb5gh/j/xUjpVlNPJkE+kAZ/12F3Qj519oup0VtTk5xZ0nZu5qtzk8wlD
         og2yUICUg23ATtFYORWRvgXTD+Wez8qTbr0tEGT0wPNBe/7FU2ABaTeDEJn/OJNiFnY7
         0jx5hT8BTiv0rXLgQorgjMteejowaFZWnPcBF/xa8XnH25skq3G2cJ5vvqjOlF4jP5gE
         2tZA==
X-Gm-Message-State: ALyK8tIEITRwgaOWZEIAD19Q89oUNvpSlSMKBYaGoISSg4vfpLNcMyQOCeNeOQDFT1Sr6B5+Nrsl2Leu8RU96Q==
X-Received: by 10.28.209.14 with SMTP id i14mr6179693wmg.95.1466326896520;
 Sun, 19 Jun 2016 02:01:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.163.106 with HTTP; Sun, 19 Jun 2016 02:01:16 -0700 (PDT)
In-Reply-To: <57665E36.60302@lsces.co.uk>
References: <CAEDdnaX_KbaZB=3WzFAp73E0dCxx5zuoqMbPbakMUGpHyRPJFg@mail.gmail.com>
 <b9318b90-f850-12a2-459d-8995220922df@gmail.com> <20160617202344.2868F1A80C02@dd1730.kasserver.com>
 <CAObuZdvZoACWE1bxz2PUMW+yXHxyEtXuYpPXL=6dEqrsakSNBQ@mail.gmail.com>
 <CADqTB_ijxN_ZVcAdLrpnejtYNO2x6Z1Q4PcnARCRE+etDuhF3w@mail.gmail.com>
 <CANUQDCjgSohsYWmkWOLfdL+9Jzio_uY-vnYVc4fzd6kmGaL46g@mail.gmail.com>
 <CADyq6sJmj=bnN+65-59UrsJuuc8dYxP3HPqNOktjnRFexcFVWA@mail.gmail.com>
 <CAEDdnaUz3_6sVN07G+KF15B0avDoTV85UiR1mLie-F3orMrUog@mail.gmail.com> <57665E36.60302@lsces.co.uk>
Date: Sun, 19 Jun 2016 11:01:16 +0200
Message-ID: <CADyq6sKPDtC5Q=OV7D5qQF2W6XgJCyKXpatU0KB=StveXA8pdw@mail.gmail.com>
To: Lester Caine <lester@lsces.co.uk>
Cc: PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=94eb2c1313f4cab66405359dd579
Subject: Re: [PHP-DEV] New escaped output operator
From: ocramius@gmail.com (Marco Pivetta)

--94eb2c1313f4cab66405359dd579
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 19 June 2016 at 10:56, Lester Caine <lester@lsces.co.uk> wrote:

> On 19/06/16 09:38, =D0=9C=D0=B8=D1=85=D0=B0=D0=B8=D0=BB =D0=92=D0=BE=D1=
=81=D1=82=D1=80=D0=B8=D0=BA=D0=BE=D0=B2 wrote:
> > My point is
> > that the main job of echo operator "<?=3D ?>" is output an unknown valu=
e
> from
> > database to an HTML environment. So in all this places we should
> copy-pase
> > the call of htmlspecialchars() to prevent XSS.
>
> The majority of XSS problems are created because the free format input
> INTO the application are not correctly handled. Simply banging
> htmlspecialchars() around totally unmanaged text is NOT the solution,
> and handling the correct filtering of the inputs is where this should be
> handled.
>
> I'm sure all of you see various attempts at XSS and SQL injections in
> your log files. About 20% of my overnight traffic is people trying to
> 'get in' but because I do not allow raw text to get through all it
> results in is errors in the log files.
>
> The packages that we have had problems cleaning up have tried using the
> 'clean the output' approach, but this STILL left holes which can only be
> fixed by cleaning the input ...
>

This basically means that you lack basic understanding of how escaping and
user input are to be handled.
Most apps out there about getting a bunch of text from the user, then
rendering it somewhere else in the app.
Cleaning user input just leads to frustration and a big mess in most
scenarios, which is why we're all talking about escaping output instead.
This is not "cleaning" either, it's escaping, which is a non-destructive
and reversible operation (which is why it works so well).

Marco Pivetta

http://twitter.com/Ocramius

http://ocramius.github.com/

--94eb2c1313f4cab66405359dd579--