Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94136 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 71481 invoked from network); 19 Jun 2016 20:03:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Jun 2016 20:03:36 -0000 Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.230 cause and error) X-PHP-List-Original-Sender: lester@lsces.co.uk X-Host-Fingerprint: 217.147.176.230 mail4-3.serversure.net Linux 2.6 Received: from [217.147.176.230] ([217.147.176.230:55136] helo=mail4.serversure.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C5/14-18862-49AF6675 for ; Sun, 19 Jun 2016 16:03:35 -0400 Received: (qmail 26232 invoked by uid 89); 19 Jun 2016 20:03:29 -0000 Received: by simscan 1.3.1 ppid: 26226, pid: 26229, t: 0.0925s scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677 Received: from unknown (HELO ?10.0.0.7?) (lester@rainbowdigitalmedia.org.uk@81.138.11.136) by mail4.serversure.net with ESMTPA; 19 Jun 2016 20:03:29 -0000 To: internals@lists.php.net References: <20160617202344.2868F1A80C02@dd1730.kasserver.com> <57665E36.60302@lsces.co.uk> <5766D311.6030503@lsces.co.uk> Message-ID: <5766FA91.60803@lsces.co.uk> Date: Sun, 19 Jun 2016 21:03:29 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] New escaped output operator From: lester@lsces.co.uk (Lester Caine) On 19/06/16 19:33, Михаил Востриков wrote: > Lester > >> > there is NO need to simply slap htmlspecialchars() onto >> > properly built data > There are many cases when user data can contain quotes or other html > entities. > > > // $book['title'] = 'When we say "Hello"'; > >
> // $user['about_me'] = 'I am a programmer. I like to write > in "About me" field'; ( Cut moan about top posting and duplicating sigs and I use plain text for any email archive ) Now ... I want to add content that includes it needs to be in the format <script>alert("xss")<script> so that it never appears in the 'dangerous' format, but if $user['about_me'] is designated a simple text string, then any attempt to add via an input should be blocked! The input processing of text needs to understand what it is expecting to receive and process it accordingly, so if the content is material such as email messages it can be correctly processed for storage by escaping if necessary. The fun comes when you are looking for content such as "About me" AFTER the data has been sanitised. In this case the search term needs to be processed as well so "About me" ... so again one needs to know just what state the data is in and my input process converts ' to ' as well to be safe when using single quotes. Of cause there are very good reasons why messages and comments should be limited to simple text. Many Wordpress/Joomla/etc problems would have been prevented if the trend to use HTML for everything had not started. Strip any tags and just leave the raw text is ideal for comment fields which can be the target for scammers where uncontrolled access may be required. And if there is a limit on field size in the database, the same restriction should apply to the data entry ... If the data is expanded by the sanitising process that also needs to be taken into account, along with multi byte characters. -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk