Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94130 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 58848 invoked from network); 19 Jun 2016 17:28:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Jun 2016 17:28:34 -0000 Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain paragonie.com designates 209.85.218.54 as permitted sender) X-PHP-List-Original-Sender: scott@paragonie.com X-Host-Fingerprint: 209.85.218.54 mail-oi0-f54.google.com Received: from [209.85.218.54] ([209.85.218.54:35296] helo=mail-oi0-f54.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 22/F1-18862-146D6675 for ; Sun, 19 Jun 2016 13:28:33 -0400 Received: by mail-oi0-f54.google.com with SMTP id a64so28336084oii.2 for ; Sun, 19 Jun 2016 10:28:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragonie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=+cqoByw3H/eiXwVN7JTaiR3OyPlAmG/z+rBZ9gyx0zk=; b=FUkyIRccn+6sVjuwWBql7j1gX+D/hOrlmo7MYsfPAb+HhKDnKqeQjHX5UFMH6OAATn qM0Y5WtNa2hR5avjZ/a57xSJ/ftbLIWTrWR/J2IikweagsEzBSoOMyP8+XzlFbyrvXto CPaVAMBUkcU70DtxGlIUt1cF+XwjsD4vVT+MdLlM3ccuBkQzTLBGrOYd7PavAoNx+j1s 0fUfTbXQeh6UAsMO/VT5gCTAqNUOlmo6UTtDv32fmBbz8TjjivUsjWE5+7c9DjKpJ4Xr q5+P687perXwsHofWkNgKy4yqpuZH3CQZd5mOhO0WungUnT3NBAjd+pL/P98pgFMJeP/ HEWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=+cqoByw3H/eiXwVN7JTaiR3OyPlAmG/z+rBZ9gyx0zk=; b=a7FY+lVai2frZl104TjCJxtvQKBo2T1XSOwjMKlZYUzg+fCzEJwTpY7k6W4DGORlXr EjgyrC8MYaAY/ul3dNvhEEx6mJzTKjrVfiAFGJb66WYYpzq5onatks7fxbC6VCJ5SGy4 mcXiImH02tDN5u6in/Q235rPjvLmN9PJ0xx17AfF2TzU64cMI4XsJbtiXbkjM/oNc52e CK9oxnipnj3ssf+U6EkYknjJtw5/Fm/9We6l3ZICV7ii/y2dUl4Yc7MJ74iNjPqTP424 4cwFKiDuBluRb9xYh41GWzzoKoeMU+MaAcd6HtT60HAVGVzbZUY0gu8LONgwvXCkooOp Ueag== X-Gm-Message-State: ALyK8tL81ri7h/pcGDOj9GCujytHc8OT1nJE79Yz+T4Dg3qMYyacZvqiwZ13SFmSbaVFTGUFlEOQ50Mh2MQJfw== MIME-Version: 1.0 X-Received: by 10.202.51.133 with SMTP id z127mr5377354oiz.202.1466357310427; Sun, 19 Jun 2016 10:28:30 -0700 (PDT) Received: by 10.157.10.101 with HTTP; Sun, 19 Jun 2016 10:28:30 -0700 (PDT) In-Reply-To: <5766D311.6030503@lsces.co.uk> References: <20160617202344.2868F1A80C02@dd1730.kasserver.com> <57665E36.60302@lsces.co.uk> <5766D311.6030503@lsces.co.uk> Date: Sun, 19 Jun 2016 13:28:30 -0400 Message-ID: To: Lester Caine Cc: PHP Internals Content-Type: multipart/alternative; boundary=001a113cddec9a381a0535a4ea64 Subject: Re: [PHP-DEV] New escaped output operator From: scott@paragonie.com (Scott Arciszewski) --001a113cddec9a381a0535a4ea64 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sun, Jun 19, 2016 at 1:14 PM, Lester Caine wrote: > On 19/06/16 10:01, Marco Pivetta wrote: > > This basically means that you lack basic understanding of how escaping > and > > user input are to be handled. > > Most apps out there about getting a bunch of text from the user, then > > rendering it somewhere else in the app. > > Cleaning user input just leads to frustration and a big mess in most > > scenarios, which is why we're all talking about escaping output instead= . > > This is not "cleaning" either, it's escaping, which is a non-destructiv= e > > and reversible operation (which is why it works so well). > > Well we have to disagree ... simply expecting htmlspecialchars() to fix > all your problems without proper handling of the input text is 'the big > mess' and there is NO need to simply slap htmlspecialchars() onto > properly built data so the idea that totally pointless! > > -- > Lester Caine - G8HFL > ----------------------------- > Contact - http://lsces.co.uk/wiki/?page=3Dcontact > L.S.Caine Electronic Services - http://lsces.co.uk > EnquirySolve - http://enquirysolve.com/ > Model Engineers Digital Workshop - http://medw.co.uk > Rainbow Digital Media - http://rainbowdigitalmedia.co.uk > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > =E2=80=8BLet me tell you a story. Once upon a time, WordPress decided to escape user input to protect against XSS attacks. Then this happened: https://klikki.fi/adv/wordpress2.html (Stored XSS via MySQL Column Truncation vulnerability.) Escaping against XSS attacks should happen on output, not on input. Dead stop. You MAY cache the escaped output for performance gains, but keep the unescaped data in the database in case you need to adjust your escaping strategy without mangling existing data. Further reading: https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-ev= erything-you-need-know =E2=80=8B Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises =E2=80=8B --001a113cddec9a381a0535a4ea64--