Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94163 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 77547 invoked from network); 20 Jun 2016 22:00:24 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Jun 2016 22:00:24 -0000 Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.178 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 209.85.217.178 mail-lb0-f178.google.com Received: from [209.85.217.178] ([209.85.217.178:35251] helo=mail-lb0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 97/99-16093-77768675 for ; Mon, 20 Jun 2016 18:00:24 -0400 Received: by mail-lb0-f178.google.com with SMTP id o4so1912035lbp.2 for ; Mon, 20 Jun 2016 15:00:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=user-agent:in-reply-to:references:mime-version :content-transfer-encoding:subject:from:date:to:message-id; bh=fx4oP1WhQBp/7rJn0BNO2q1uDt86NjoQ0creYj/wJlI=; b=SnfSqt6/fGnuV5lJUPGa07J/6qSL6WKwlzhRdMAOQxJRq4gGx9YkMjcFj2IXdyew6P 575C6SJ5dv01MhD4gRpd4+x4iKTWJ8iDGOXqdNptDa55c2hfmTuYZShAnXN0SAsiPX4w rSyCQ+qzdri8/k2UYNR+WG3pYaggGyhSEHUhFSL2R0qPgFIHHFN8K/e3Dumc2Ze1gNGK Tqh+Pb8V/dGK2MwlbXdzdsjmdK6Ou028smBOGjgaR26hFZb6mhGTVG+FDYO8QbGwJYPP fBY1/Pejd5iugP3PktyJSH6PAUDmZaeRyCAHuZRbDE0mZb7I3eTQf+sFtkZpFTP0mcAS zkNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:in-reply-to:references:mime-version :content-transfer-encoding:subject:from:date:to:message-id; bh=fx4oP1WhQBp/7rJn0BNO2q1uDt86NjoQ0creYj/wJlI=; b=Z+ORmh+vgrAQ1NLRJ7mxfh3ggvpOQhj0ugsfUtg/H0IdQHeIeJ4thp/ntJ35z4T7jj X99yicZFLoNR3x3eIP3xLVseNa+8YHW3hSAZukOfU4irmICIadyu6lZhU3vJFy/rpIeP xotE/g4FEkb2hZvs0bF9VXktZDzLEP7cuFmIUbGVl8svcFd9fhWkyXhazWTEay41mviq wKz32qNaepW95qv887boivZ3DK8a1MuWLeu+J+z8eTrPT+fErnShYMoUbqYGsz8yibSi d+6LFG2QTNrVSnnSQK1u6Te6OT4Oc7HifOtgA/R/qZcvynS2Yxtn78GjGcAe4OSOl/Ez sjlw== X-Gm-Message-State: ALyK8tInA8Ti3zzW7zW1wcX2LwTfcpitFK7P48lwTLLWmhrqA331H5+7RklXtwNMLZOYRQ== X-Received: by 10.194.191.135 with SMTP id gy7mr16440419wjc.125.1466460020256; Mon, 20 Jun 2016 15:00:20 -0700 (PDT) Received: from android-c0c105534eccd9bf.default ([2.25.96.65]) by smtp.gmail.com with ESMTPSA id wo9sm266139wjb.8.2016.06.20.15.00.19 for (version=TLSv1/SSLv3 cipher=OTHER); Mon, 20 Jun 2016 15:00:19 -0700 (PDT) User-Agent: K-9 Mail for Android In-Reply-To: References: <57665E36.60302@lsces.co.uk> <5766D311.6030503@lsces.co.uk> <57680CF5.2070003@lsces.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Date: Mon, 20 Jun 2016 23:00:13 +0100 To: "internals@lists.php.net" Message-ID: Subject: Re: [PHP-DEV] New escaped output operator From: rowan.collins@gmail.com (Rowan Collins) On 20 June 2016 17:40:05 GMT+01:00, "Михаил Востриков" wrote: >Actually, htmlspecialchars() is needed in all three cases: ... >You may not write htmlspecialchars together with urlencode just because >urlencode encodes all special characters with its own way. So, not needed in all 3 cases then... >Imagine that urlencode does not encode quotes - what function should we >call for its result? Ideally, an escape filter that performs both functions; if the aim is to make things easier, I shouldn't need to think about the need to nest two escape functions. If I still have to use non-obvious combinations of magic syntax plus function calls, the claim of "secure by default" doesn't really stand up. The ~ becomes nothing more than an alias that I still need to remember when to deploy. I'm pretty sure the tempting syntax is actively harmful in that situation... >The fact itself, that there were many discussions about it, indicates >that >it is a necessary feature. Popularity is not the same thing as necessity. More relevantly, even when we agree on the problem, the simple solution isn't always the best, sometimes it pays to think a bit more broadly about the problem space. Larry's escaper registration is one example of that. HackLang's XHP is another - rather than thinking about escaping as an action, it gives the compiler richer knowledge of the structure, so it can "know" the right escape syntax. If the compiler could look at my previous example and recognise the attribute, URL, script, and text contexts itself, then you really would have security-by-default. Unfortunately, that too is tricky to generalise - what is the correct escape method for an attribute named "data-my-action"...? Regards, -- Rowan Collins [IMSoP]