Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94142 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 94460 invoked from network); 20 Jun 2016 03:40:04 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Jun 2016 03:40:04 -0000 Authentication-Results: pb1.pair.com header.from=me@daveyshafik.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=me@daveyshafik.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain daveyshafik.com from 209.85.220.181 cause and error) X-PHP-List-Original-Sender: me@daveyshafik.com X-Host-Fingerprint: 209.85.220.181 mail-qk0-f181.google.com Received: from [209.85.220.181] ([209.85.220.181:36406] helo=mail-qk0-f181.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F1/B0-25084-29567675 for ; Sun, 19 Jun 2016 23:40:03 -0400 Received: by mail-qk0-f181.google.com with SMTP id p10so146852678qke.3 for ; Sun, 19 Jun 2016 20:40:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=daveyshafik-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=M9z2GKXXYy5Jh0bndAXLBEhQ8KaUsrisYZtMeeB73fI=; b=su/5+NjPfuRrc5G/HlHz0RwE05mu8e/uaMa/z8w9EPuaWTN42O8Vepode+DtAwgl4s B2x6zLNeGgSiFX4PkZa74aZFeON9QujkA1Ja5YeMgmCajlxHNAd9AD0Yn4NcZYysjhQc Dfv3f7WNDlcTgbGlQAdpB36Xkh6kuRwvMal1XB3STwXcQrZ8FKp24SlLhY5Ha2CoNBdg SOnyDtaZhyBzAOFWY82MqhJOen4dQ8hLtcrz7ACrkXmWCIfOrlIqtMuqDILRuMeifBZB jPcBYALQO0G2GOCQy5YfHIosf+mcODKLMFXm1uder5l3anxYtDOnGCKBNOi84eHQmy+p XB0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=M9z2GKXXYy5Jh0bndAXLBEhQ8KaUsrisYZtMeeB73fI=; b=NF80/4LcZDGsin54t5Vl7XA56rfFHctQnQDmaTEzvbn1imMhTrBvY+bbKxZyFYW4CN WnU6c3ifL6VfbZudcnNINVDU3kYHzSxZRXqnB40teCECYC2FaUlIfEiT5ztHrEdVeuda GI2EE+F4q0dZEV56BKHr1f4MMDOHIOjDrKggKVRGxKhHn++aUJ+FGbJDjns5+Az2k7Za f9gWDe2bXT/gWkQLq7c1Di2lOct2qWz0DZETL4sH1jYY+ASSqclXRlZFGQryKmV/JMaW egBU/tRfDNp9GQ7l+EEAmauTHLPtBY920eFm2l4o/HCRxEy7tMsUAJMHZUcS+AzxJ81C sbSw== X-Gm-Message-State: ALyK8tKuyjD4aq+AWL6Fo/Q8BBdSSbsEYLO9YVbqCNoA0C6kUBYz1EiirJOtrxCm2ol1G3x6A6mPLrgyR71czGm0 X-Received: by 10.55.70.66 with SMTP id t63mr19599233qka.162.1466393999933; Sun, 19 Jun 2016 20:39:59 -0700 (PDT) MIME-Version: 1.0 Sender: me@daveyshafik.com Received: by 10.237.54.225 with HTTP; Sun, 19 Jun 2016 20:39:59 -0700 (PDT) In-Reply-To: References: <20160617202344.2868F1A80C02@dd1730.kasserver.com> <57665E36.60302@lsces.co.uk> <5766D311.6030503@lsces.co.uk> Date: Sun, 19 Jun 2016 20:39:59 -0700 X-Google-Sender-Auth: 3L0zI5VLvZrG5enh_6Nq-0jL8t8 Message-ID: To: Walter Parker Cc: =?UTF-8?B?0JzQuNGF0LDQuNC7INCS0L7RgdGC0YDQuNC60L7Qsg==?= , Scott Arciszewski , Lester Caine , PHP Internals Content-Type: multipart/alternative; boundary=001a114aabcc7799420535ad752a Subject: Re: [PHP-DEV] New escaped output operator From: davey@php.net (Davey Shafik) --001a114aabcc7799420535ad752a Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sun, Jun 19, 2016 at 8:30 PM, Walter Parker wrote: > Good, then we do agree, as what I said was what I DID NOT want to see in > the documentation. > > This should be documented as shortcut for ?>. It should be further pointed out that while this will be useful in > catching many XSS and other HTML issues, it will not catch all of them, s= o > care and attention to proper data hygiene is still required. > > > Walter > > On Sun, Jun 19, 2016 at 8:22 PM, =D0=9C=D0=B8=D1=85=D0=B0=D0=B8=D0=BB =D0= =92=D0=BE=D1=81=D1=82=D1=80=D0=B8=D0=BA=D0=BE=D0=B2 < > michael.vostrikov@gmail.com> wrote: > > > > "Use ' > outputting HTML that was stored in a DB." > > I don't think this is a good phrase for documentation. This form should > be > > considered exactly as htmlspecialchars, with taking into account any > > language and encoding-specific issues, and this should be pointed in > > documentation. This is a shorcut for often operation, like '??' for > isset() > > check. And it can really improve security, not in 90% but about 99.9999= % > > cases. > > > > 2016-06-20 4:41 GMT+05:00 Walter Parker : > > > >> > >>> > >>> > where getting it 90% correct is worse that not doing anything at al= l. > >>> > Things like this will cause people to be blindsided when the uncaug= ht > >>> escapes > >>> > cause the next major security problem. > >>> > >>> Why do you think so? What real problems can happen if there will be a > >>> short operator for htmlspecialchars()? > >>> > >>> What could happen is this getting sold/documented as a general purpos= e > >> security feature: > >> "Use ' >> outputting HTML that was stored in a DB." What it solves is a subset, > >> which is escaping characters stored in a data that have special > meanings to > >> HTML. My concern is that the remain security issues might get > overlooked or > >> ignored because ' >> htmlspecialchars, UTF-8 and certain language-specific characters (non > >> English). There were also issues with quotes in the past. > >> > There will never be a way to make this operator useful to a majority of users or use cases; similar ideas have been discussed many times in the past. If we get annotations then you might be able to hook something in from userland transparently that understands your specific context and application. This would be much more feasible IMO. - Davey --001a114aabcc7799420535ad752a--