Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94139
Return-Path: <mails@thomasbley.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 83875 invoked from network); 20 Jun 2016 00:04:33 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Jun 2016 00:04:33 -0000
Authentication-Results: pb1.pair.com smtp.mail=mails@thomasbley.de; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=mails@thomasbley.de; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain thomasbley.de from 85.13.128.151 cause and error)
X-PHP-List-Original-Sender: mails@thomasbley.de
X-Host-Fingerprint: 85.13.128.151 dd1730.kasserver.com  
Received: from [85.13.128.151] ([85.13.128.151:34770] helo=dd1730.kasserver.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D0/70-13473-F0337675 for <internals@lists.php.net>; Sun, 19 Jun 2016 20:04:32 -0400
Received: from dd1730.kasserver.com (dd0800.kasserver.com [85.13.143.204])
	by dd1730.kasserver.com (Postfix) with ESMTPSA id C801A1A803CF;
	Mon, 20 Jun 2016 02:04:28 +0200 (CEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SenderIP: 95.91.212.214
User-Agent: ALL-INKL Webmail 2.11
In-Reply-To: <CAMPTd_DADkueRwN9AR0VNtGWg+Q58ab7JR=7meaj7fTohGZsww@mail.gmail.com>
References: <CAEDdnaX_KbaZB=3WzFAp73E0dCxx5zuoqMbPbakMUGpHyRPJFg@mail.gmail.com> <b9318b90-f850-12a2-459d-8995220922df@gmail.com> <20160617202344.2868F1A80C02@dd1730.kasserver.com> <CAObuZdvZoACWE1bxz2PUMW+yXHxyEtXuYpPXL=6dEqrsakSNBQ@mail.gmail.com> <CADqTB_ijxN_ZVcAdLrpnejtYNO2x6Z1Q4PcnARCRE+etDuhF3w@mail.gmail.com> <CANUQDCjgSohsYWmkWOLfdL+9Jzio_uY-vnYVc4fzd6kmGaL46g@mail.gmail.com> <CADyq6sJmj=bnN+65-59UrsJuuc8dYxP3HPqNOktjnRFexcFVWA@mail.gmail.com> <CAEDdnaUz3_6sVN07G+KF15B0avDoTV85UiR1mLie-F3orMrUog@mail.gmail.com> <57665E36.60302@lsces.co.uk> <CADyq6sKPDtC5Q=OV7D5qQF2W6XgJCyKXpatU0KB=StveXA8pdw@mail.gmail.com> <5766D311.6030503@lsces.co.uk> <CAKws9z3UyQxiXpC8Jbv5tf6guzn+pgdp76B49ZsUdS08s-Jtaw@mail.gmail.com> <CAMPTd_A86iCrytrHwp87GyjLU8FX+BbLsdREOpNfUc=_McRMow@mail.gmail.com> <CAEDdnaUi5hvOAkkPWWk3YVNxMjsCbntB-W70a8sPXFkKHJGY8w@mail.gmail.com><CAMPTd_DADkueRwN9AR0VNtGWg+Q58ab7JR=7meaj7fTohGZsww@mail.gmail.com>
To: michael.vostrikov@gmail.com, walterp@gmail.com
Cc: scott@paragonie.com, lester@lsces.co.uk, internals@lists.php.net
Message-ID: <20160620000428.C801A1A803CF@dd1730.kasserver.com>
Date: Mon, 20 Jun 2016 02:04:28 +0200 (CEST)
Subject: Re: [PHP-DEV] New escaped output operator
From: mails@thomasbley.de ("Thomas Bley")

you can never avoid people writing things incorrectly, just look at code using addslashes() instead of mysql_real_escape_string() ...

Regards
Thomas

Walter Parker wrote on 20.06.2016 01:41:

>>
>>
>>
>> > where getting it 90% correct is worse that not doing anything at all.
>> > Things like this will cause people to be blindsided when the uncaught
>> escapes
>> > cause the next major security problem.
>>
>> Why do you think so? What real problems can happen if there will be a
>> short operator for htmlspecialchars()?
>>
>> What could happen is this getting sold/documented as a general purpose
> security feature:
> "Use '<?~' and it will solve your XSS and other escaping problems with
> outputting HTML that was stored in a DB."  What it solves is a subset,
> which is escaping characters stored in a data that have special meanings to
> HTML. My concern is that the remain security issues might get overlooked or
> ignored because '<?~' is considered good enough. There are issues with
> htmlspecialchars, UTF-8 and certain language-specific characters (non
> English). There were also issues with quotes in the past.
> 
> 
> Walter
>