Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94148
Return-Path: <me@kelunik.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 20344 invoked from network); 20 Jun 2016 10:52:01 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Jun 2016 10:52:01 -0000
Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.163 cause and error)
X-PHP-List-Original-Sender: me@kelunik.com
X-Host-Fingerprint: 81.169.146.163 mo4-p00-ob.smtp.rzone.de  
Received: from [81.169.146.163] ([81.169.146.163:8829] helo=mo4-p00-ob.smtp.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AA/60-16093-FCAC7675 for <internals@lists.php.net>; Mon, 20 Jun 2016 06:52:00 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1466419916; l=4849;
	s=domk; d=kelunik.com;
	h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To:
	MIME-Version;
	bh=dwdAOBdc83k9q3IG0ZA/cb8NQB1wVxEG5IwUAlq6Rig=;
	b=eKt1Tv4oUoGc+QAF2f7HiBIG3CMd4NFpYW6UtuXlQibg6QDEpYj1unvDU/lqiXgksFX
	2aueDNmBB0Lb+bnKfOGmHuTd//DyxsErFkHa8JfEaTUDaL6RUe8GU7KMHuwor37OYMc7t
	GLIm66eW4xy4FoMjGBNf4P4w87TZ41pceTU=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtO3o6
X-RZG-CLASS-ID: mo00
Received: from mail-wm0-f49.google.com ([74.125.82.49])
	by smtp.strato.de (RZmta 38.6 AUTH)
	with ESMTPSA id 502d46s5KApuYdM
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA))
	(Client did not present a certificate)
	for <internals@lists.php.net>;
	Mon, 20 Jun 2016 12:51:56 +0200 (CEST)
Received: by mail-wm0-f49.google.com with SMTP id 187so6025631wmz.1
        for <internals@lists.php.net>; Mon, 20 Jun 2016 03:51:56 -0700 (PDT)
X-Gm-Message-State: ALyK8tJOn5yvZ0IfOYhSphTHiNoUeDwEFxbS54XfOIdng6LLTAc84FLCiQtehfnNT6CI2FRNYkm4/xI30Dquvg==
X-Received: by 10.28.92.66 with SMTP id q63mr10943281wmb.73.1466419916416;
 Mon, 20 Jun 2016 03:51:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.199.67 with HTTP; Mon, 20 Jun 2016 03:51:55 -0700 (PDT)
In-Reply-To: <5767B388.8060807@lsces.co.uk>
References: <CAEDdnaX_KbaZB=3WzFAp73E0dCxx5zuoqMbPbakMUGpHyRPJFg@mail.gmail.com>
 <b9318b90-f850-12a2-459d-8995220922df@gmail.com> <20160617202344.2868F1A80C02@dd1730.kasserver.com>
 <CAObuZdvZoACWE1bxz2PUMW+yXHxyEtXuYpPXL=6dEqrsakSNBQ@mail.gmail.com>
 <CADqTB_ijxN_ZVcAdLrpnejtYNO2x6Z1Q4PcnARCRE+etDuhF3w@mail.gmail.com>
 <CANUQDCjgSohsYWmkWOLfdL+9Jzio_uY-vnYVc4fzd6kmGaL46g@mail.gmail.com>
 <CADyq6sJmj=bnN+65-59UrsJuuc8dYxP3HPqNOktjnRFexcFVWA@mail.gmail.com>
 <CAEDdnaUz3_6sVN07G+KF15B0avDoTV85UiR1mLie-F3orMrUog@mail.gmail.com>
 <57665E36.60302@lsces.co.uk> <CADyq6sKPDtC5Q=OV7D5qQF2W6XgJCyKXpatU0KB=StveXA8pdw@mail.gmail.com>
 <5766D311.6030503@lsces.co.uk> <CAKws9z3UyQxiXpC8Jbv5tf6guzn+pgdp76B49ZsUdS08s-Jtaw@mail.gmail.com>
 <CAMPTd_A86iCrytrHwp87GyjLU8FX+BbLsdREOpNfUc=_McRMow@mail.gmail.com>
 <CAEDdnaUi5hvOAkkPWWk3YVNxMjsCbntB-W70a8sPXFkKHJGY8w@mail.gmail.com>
 <5766FA91.60803@lsces.co.uk> <CANUQDCis9TVyR6fNbDOfCWF1fJeqU0M+Gby-_C47pEXZocBang@mail.gmail.com>
 <5767B388.8060807@lsces.co.uk>
Date: Mon, 20 Jun 2016 12:51:55 +0200
X-Gmail-Original-Message-ID: <CANUQDCgyhiBXPKkA5MEu5D7NCjuuaVfodC_SQnf+YOnW6YdeEA@mail.gmail.com>
Message-ID: <CANUQDCgyhiBXPKkA5MEu5D7NCjuuaVfodC_SQnf+YOnW6YdeEA@mail.gmail.com>
To: Lester Caine <lester@lsces.co.uk>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a114687ea35b3830535b37efc
Subject: Re: [PHP-DEV] New escaped output operator
From: me@kelunik.com (Niklas Keller)

--001a114687ea35b3830535b37efc
Content-Type: text/plain; charset=UTF-8

2016-06-20 11:12 GMT+02:00 Lester Caine <lester@lsces.co.uk>:

> On 20/06/16 07:00, Niklas Keller wrote:
> >> Now ... I want to add content that includes
> >> > <script>alert("xss")</script> it needs to be in the format
> >> > &lt;script&gt;alert(&quot;xss&quot;)&lt;script&gt; so that it never
> >> > appears in the 'dangerous' format, but if $user['about_me'] is
> >> > designated a simple text string, then any attempt to add
> >> > <script>alert("xss")</script> via an input should be blocked!
> >
> > No, it shouldn't be blocked. It should just be escaped on output. What if
> > that's a comment to a tech blog, where we talk about these things instead
> > of trying to find a vulnerability?
>
> Re-read what I wrote!
>

I read it and I fundamentally disagree with that.


> You should ALWAYS sanitise simple text such as short descriptions, and
> even user names and other simple text fields and I would always do that
> with strings like $user['about_me'] ...



> '<?~' creates a false sense of
> security


You're right. But it's the case because it doesn't obey the output context.
It's not because it escapes on outpu


> when users should be educated as to the risks that NOT
> validating data can create. Such as overflowing field sizes and creating
> text which internally can cause problem even before outputting to a
> browser


Data validation is a totally different topic and not what this thread is
about.


> such as quotes in combined strings.
>

Where's that an issue?


> ( Rowan sums up the output side nicely ... )
>
>

--001a114687ea35b3830535b37efc--