Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94147
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 14025 invoked from network); 20 Jun 2016 09:12:45 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Jun 2016 09:12:45 -0000
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.230 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.230 mail4-3.serversure.net Linux 2.6
Received: from [217.147.176.230] ([217.147.176.230:51150] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EA/E2-25084-B83B7675 for <internals@lists.php.net>; Mon, 20 Jun 2016 05:12:44 -0400
Received: (qmail 11329 invoked by uid 89); 20 Jun 2016 09:12:41 -0000
Received: by simscan 1.3.1 ppid: 11322, pid: 11325, t: 0.0872s
         scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677
Received: from unknown (HELO ?10.0.0.7?) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 20 Jun 2016 09:12:41 -0000
To: internals@lists.php.net
References: <CAEDdnaX_KbaZB=3WzFAp73E0dCxx5zuoqMbPbakMUGpHyRPJFg@mail.gmail.com>
 <b9318b90-f850-12a2-459d-8995220922df@gmail.com>
 <20160617202344.2868F1A80C02@dd1730.kasserver.com>
 <CAObuZdvZoACWE1bxz2PUMW+yXHxyEtXuYpPXL=6dEqrsakSNBQ@mail.gmail.com>
 <CADqTB_ijxN_ZVcAdLrpnejtYNO2x6Z1Q4PcnARCRE+etDuhF3w@mail.gmail.com>
 <CANUQDCjgSohsYWmkWOLfdL+9Jzio_uY-vnYVc4fzd6kmGaL46g@mail.gmail.com>
 <CADyq6sJmj=bnN+65-59UrsJuuc8dYxP3HPqNOktjnRFexcFVWA@mail.gmail.com>
 <CAEDdnaUz3_6sVN07G+KF15B0avDoTV85UiR1mLie-F3orMrUog@mail.gmail.com>
 <57665E36.60302@lsces.co.uk>
 <CADyq6sKPDtC5Q=OV7D5qQF2W6XgJCyKXpatU0KB=StveXA8pdw@mail.gmail.com>
 <5766D311.6030503@lsces.co.uk>
 <CAKws9z3UyQxiXpC8Jbv5tf6guzn+pgdp76B49ZsUdS08s-Jtaw@mail.gmail.com>
 <CAMPTd_A86iCrytrHwp87GyjLU8FX+BbLsdREOpNfUc=_McRMow@mail.gmail.com>
 <CAEDdnaUi5hvOAkkPWWk3YVNxMjsCbntB-W70a8sPXFkKHJGY8w@mail.gmail.com>
 <5766FA91.60803@lsces.co.uk>
 <CANUQDCis9TVyR6fNbDOfCWF1fJeqU0M+Gby-_C47pEXZocBang@mail.gmail.com>
Message-ID: <5767B388.8060807@lsces.co.uk>
Date: Mon, 20 Jun 2016 10:12:40 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.7.0
MIME-Version: 1.0
In-Reply-To: <CANUQDCis9TVyR6fNbDOfCWF1fJeqU0M+Gby-_C47pEXZocBang@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] New escaped output operator
From: lester@lsces.co.uk (Lester Caine)

On 20/06/16 07:00, Niklas Keller wrote:
>> Now ... I want to add content that includes
>> > <script>alert("xss")</script> it needs to be in the format
>> > &lt;script&gt;alert(&quot;xss&quot;)&lt;script&gt; so that it never
>> > appears in the 'dangerous' format, but if $user['about_me'] is
>> > designated a simple text string, then any attempt to add
>> > <script>alert("xss")</script> via an input should be blocked!
> 
> No, it shouldn't be blocked. It should just be escaped on output. What if
> that's a comment to a tech blog, where we talk about these things instead
> of trying to find a vulnerability?

Re-read what I wrote!
You should ALWAYS sanitise simple text such as short descriptions, and
even user names and other simple text fields and I would always do that
with strings like $user['about_me'] ... '<?~' creates a false sense of
security when users should be educated as to the risks that NOT
validating data can create. Such as overflowing field sizes and creating
text which internally can cause problem even before outputting to a
browser ... such as quotes in combined strings.

( Rowan sums up the output side nicely ... )

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk