Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94141 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 92888 invoked from network); 20 Jun 2016 03:30:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Jun 2016 03:30:22 -0000 Authentication-Results: pb1.pair.com smtp.mail=walterp@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=walterp@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.46 as permitted sender) X-PHP-List-Original-Sender: walterp@gmail.com X-Host-Fingerprint: 209.85.213.46 mail-vk0-f46.google.com Received: from [209.85.213.46] ([209.85.213.46:34385] helo=mail-vk0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7B/50-25084-D4367675 for ; Sun, 19 Jun 2016 23:30:22 -0400 Received: by mail-vk0-f46.google.com with SMTP id t129so180366811vka.1 for ; Sun, 19 Jun 2016 20:30:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dUZLV5CL4oZXFC1xlpCgQOCyGZR5T30jGthc8UH/MLU=; b=mFn0xjgy5NasofodCS176UAayn36AzqcLAv98oyXdEnQ1iLzIkUAyeXqRcZfWZZx7E /WRe6I8ziVulN31DL6UpA6Ezel0msvlq2gaa0xvSlWly2MfKFe0hJaBz44WJKH2uye/V dcyZ12iA1S9IFIJjEc5KS4LEzaQ2goKovx94wEIEDDEzgu9jxDN0UH5KF9CL6Oyn2ozF +zbbQZnIP/MDR0EpK9xDvZdPc0/x9btrbs2dOwiGbMk3RTh+V6W79wXGQYXvVJk5v5af 4rxw2zWOahxFA2Rt49XDRbew4V3TkZMetGuO+LLaNppWogRaq6dU7z6DKCEx+kW4xLX2 BGMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dUZLV5CL4oZXFC1xlpCgQOCyGZR5T30jGthc8UH/MLU=; b=R+FQOgj7uvsKp92IVOd7upfEMoq7odIybdUH15Ibtf25c72b5V1DKBWBC5Pby295vu JyfcHA/8mrN7ZPRSDazZI6i1jN0V9OOu94jvb+05rhHJ4c5j59cerg43z2nk447+d94w bqpPaTgpIZGDrLO4TL3g1zM8QUfUBkEyjut+Ma9vZDruQikDMF2diLEGU36xpKqbUPEH S/6a1E4lbbE60oyGreF0Z2vhRjC8hcHoXAT54GhZdrtwGmdg3xaoNWumubL8VvWcRafD szMo70CdAbhhnK7XYN6rID/I5H2EXfUO5v7hpsfPjqfGOZ/Ua58DsvJZwOswGIWGPVJo 6M1A== X-Gm-Message-State: ALyK8tJQmsIWKBVNXdHZoo/o60TdXerQTtZF9eYDqXSiFxqP+gJfpX2574tPj6suKgvkRLLr3x4S/YAawSw3Sw== X-Received: by 10.31.228.133 with SMTP id b127mr5789062vkh.90.1466393418625; Sun, 19 Jun 2016 20:30:18 -0700 (PDT) MIME-Version: 1.0 Received: by 10.103.108.135 with HTTP; Sun, 19 Jun 2016 20:30:17 -0700 (PDT) In-Reply-To: References: <20160617202344.2868F1A80C02@dd1730.kasserver.com> <57665E36.60302@lsces.co.uk> <5766D311.6030503@lsces.co.uk> Date: Sun, 19 Jun 2016 20:30:17 -0700 Message-ID: To: =?UTF-8?B?0JzQuNGF0LDQuNC7INCS0L7RgdGC0YDQuNC60L7Qsg==?= Cc: Scott Arciszewski , Lester Caine , PHP Internals Content-Type: multipart/alternative; boundary=94eb2c094fb8d178180535ad526a Subject: Re: [PHP-DEV] New escaped output operator From: walterp@gmail.com (Walter Parker) --94eb2c094fb8d178180535ad526a Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Good, then we do agree, as what I said was what I DID NOT want to see in the documentation. This should be documented as shortcut for . It should be further pointed out that while this will be useful in catching many XSS and other HTML issues, it will not catch all of them, so care and attention to proper data hygiene is still required. Walter On Sun, Jun 19, 2016 at 8:22 PM, =D0=9C=D0=B8=D1=85=D0=B0=D0=B8=D0=BB =D0= =92=D0=BE=D1=81=D1=82=D1=80=D0=B8=D0=BA=D0=BE=D0=B2 < michael.vostrikov@gmail.com> wrote: > > "Use ' outputting HTML that was stored in a DB." > I don't think this is a good phrase for documentation. This form should b= e > considered exactly as htmlspecialchars, with taking into account any > language and encoding-specific issues, and this should be pointed in > documentation. This is a shorcut for often operation, like '??' for isset= () > check. And it can really improve security, not in 90% but about 99.9999% > cases. > > 2016-06-20 4:41 GMT+05:00 Walter Parker : > >> >>> >>> > where getting it 90% correct is worse that not doing anything at all. >>> > Things like this will cause people to be blindsided when the uncaught >>> escapes >>> > cause the next major security problem. >>> >>> Why do you think so? What real problems can happen if there will be a >>> short operator for htmlspecialchars()? >>> >>> What could happen is this getting sold/documented as a general purpose >> security feature: >> "Use '> outputting HTML that was stored in a DB." What it solves is a subset, >> which is escaping characters stored in a data that have special meanings= to >> HTML. My concern is that the remain security issues might get overlooked= or >> ignored because '> htmlspecialchars, UTF-8 and certain language-specific characters (non >> English). There were also issues with quotes in the past. >> >> >> Walter >> > > --=20 The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandei= s --94eb2c094fb8d178180535ad526a--