Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94144 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 3556 invoked from network); 20 Jun 2016 06:00:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Jun 2016 06:00:44 -0000 Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.160 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.160 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.160] ([81.169.146.160:34587] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 21/A1-25084-98687675 for ; Mon, 20 Jun 2016 02:00:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1466402439; l=9136; s=domk; d=kelunik.com; h=Content-Type:To:Subject:Date:From:In-Reply-To:References: MIME-Version; bh=xTTPcvAzOxvaLj7r+/orbFt5gCdytalLcGcG0ncfXvM=; b=Uo2m84PWmZ6KFGSjS3B/pGDMHANP7nmBYsCp7vVpMfsEUX59x6dUcTTpYAp0BfWJcxr FHRoKWs4WuN0ePe5cy99yrp/0omPZpWaABGCO7ZsplV3rPRb05hQXRN3IXK/ib6qsZphw 7/I/hdLDK/bvs5tUME8otjkMJz6VzddR4R8= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtOnE6 X-RZG-CLASS-ID: mo00 Received: from mail-wm0-f52.google.com ([74.125.82.52]) by smtp.strato.de (RZmta 38.6 AUTH) with ESMTPSA id C05812s5K60cSe7 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA)) (Client did not present a certificate) for ; Mon, 20 Jun 2016 08:00:38 +0200 (CEST) Received: by mail-wm0-f52.google.com with SMTP id a66so62485135wme.0 for ; Sun, 19 Jun 2016 23:00:38 -0700 (PDT) X-Gm-Message-State: ALyK8tKyPvzGBfVX2C/+XUPM14GeL9PII2HC27MaMlUship6CbKFFJg3O/t80YII5sGc5oeIK+IAFLpQmYkn1Q== X-Received: by 10.194.157.10 with SMTP id wi10mr12332469wjb.159.1466402438317; Sun, 19 Jun 2016 23:00:38 -0700 (PDT) MIME-Version: 1.0 References: <20160617202344.2868F1A80C02@dd1730.kasserver.com> <57665E36.60302@lsces.co.uk> <5766D311.6030503@lsces.co.uk> <5766FA91.60803@lsces.co.uk> In-Reply-To: <5766FA91.60803@lsces.co.uk> Date: Mon, 20 Jun 2016 06:00:26 +0000 X-Gmail-Original-Message-ID: Message-ID: To: Lester Caine , internals@lists.php.net Content-Type: multipart/alternative; boundary=089e0122ebe26f15c80535af6cfa Subject: Re: [PHP-DEV] New escaped output operator From: me@kelunik.com (Niklas Keller) --089e0122ebe26f15c80535af6cfa Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Lester Caine schrieb am So., 19. Juni 2016, 22:03: > On 19/06/16 19:33, =D0=9C=D0=B8=D1=85=D0=B0=D0=B8=D0=BB =D0=92=D0=BE=D1= =81=D1=82=D1=80=D0=B8=D0=BA=D0=BE=D0=B2 wrote: > > Lester > > > >> > there is NO need to simply slap htmlspecialchars() onto > >> > properly built data > > There are many cases when user data can contain quotes or other html > > entities. > > > > " /> > > // $book['title'] =3D 'When we say "Hello"'; > > > >
> > // $user['about_me'] =3D 'I am a programmer. I like to write > > in "About me" field'; > > ( Cut moan about top posting and duplicating sigs and I use plain text > for any email archive ) > > Now ... I want to add content that includes > it needs to be in the format > <script>alert("xss")<script> so that it never > appears in the 'dangerous' format, but if $user['about_me'] is > designated a simple text string, then any attempt to add > via an input should be blocked! No, it shouldn't be blocked. It should just be escaped on output. What if that's a comment to a tech blog, where we talk about these things instead of trying to find a vulnerability? The input processing of text needs to understand what it is expecting to receive > and process it accordingly, so if the content is material such as email > messages it can be correctly processed for storage by escaping if > necessary. The fun comes when you are looking for content such as "About > me" AFTER the data has been sanitised. In this case the search term > needs to be processed as well so "About me" ... One more reason not to escape on input. so again one > needs to know just what state the data is in and my input process > converts ' to ' as well to be safe when using single quotes. > What if you suddenly start to output it in JSON or plain text format? Suddenly you need a different escaping. You really shouldn't escape on input, as your input doesn't know where it's used. What you should do on input is validation, so decide whether it's in the right format. But if it doesn't validate, you reject it and don't even save it. Of cause there are very good reasons why messages and comments should be > limited to simple text. Many Wordpress/Joomla/etc problems would have > been prevented if the trend to use HTML for everything had not started. > Strip any tags and just leave the raw text is ideal for comment fields > which can be the target for scammers where uncontrolled access may be > required. And if there is a limit on field size in the database, the > same restriction should apply to the data entry ... If the data is > expanded by the sanitising process that also needs to be taken into > account, along with multi byte characters. > > -- > Lester Caine - G8HFL > ----------------------------- > Contact - http://lsces.co.uk/wiki/?page=3Dcontact > L.S.Caine Electronic Services - http://lsces.co.uk > EnquirySolve - http://enquirysolve.com/ > Model Engineers Digital Workshop - http://medw.co.uk > Rainbow Digital Media - http://rainbowdigitalmedia.co.uk > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --089e0122ebe26f15c80535af6cfa--