Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94734
Return-Path: <rowan.collins@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 30627 invoked from network); 28 Jul 2016 08:29:45 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 28 Jul 2016 08:29:45 -0000
Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.49 as permitted sender)
X-PHP-List-Original-Sender: rowan.collins@gmail.com
X-Host-Fingerprint: 74.125.82.49 mail-wm0-f49.google.com  
Received: from [74.125.82.49] ([74.125.82.49:37683] helo=mail-wm0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 99/90-25564-672C9975 for <internals@lists.php.net>; Thu, 28 Jul 2016 04:29:44 -0400
Received: by mail-wm0-f49.google.com with SMTP id i5so96165385wmg.0
        for <internals@lists.php.net>; Thu, 28 Jul 2016 01:29:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=user-agent:in-reply-to:references:mime-version
         :content-transfer-encoding:subject:from:date:to:message-id;
        bh=FbWcjctkOxtV/LcIjokAVXqjE+W7A9FBHGcuydKc6ww=;
        b=Gr5xpvhziXSCkqmxAe3NwFRMHRUg/MWFlDKx9J0aGnsN/BGeYR8nHbvo3mes7vzaxH
         ESgjOJn025tKzKWmv1QHEyVGdg8hWACPt22OwMKN/xpcxaSl4aeh7BfTFo1EsMvDK2Ds
         h+G4B+sltm5cyfw0qpOJumZ1ZWmm1FBTNCiJX0BQ95qzW8XGxpfVtXH0hHnvVNAgGF+W
         BmiTPfSSOPEulx9HQ3Xbs6gP1xXuiS4Ek7/mDwmFnVQwwxptLQHUNlBS0xtbqWHHTepC
         UAXS8N1OeccTiuZbN5GEL2I0LiAMO95SMD4OlJUgBiZnp1Gn/NdL3UwpITquAe214E7Q
         zQzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:user-agent:in-reply-to:references:mime-version
         :content-transfer-encoding:subject:from:date:to:message-id;
        bh=FbWcjctkOxtV/LcIjokAVXqjE+W7A9FBHGcuydKc6ww=;
        b=kSFw3jbVIt3dJCaokUT6zGPQSsSqwGnpw653Pbip4i0ohmJEer4gFBaC+yP5jyD4rj
         ifoFyY3655O85s0HEuB/t97zbwZcbiSHqXJqEI5HklyGgvFyt8XY2jcD0K27RAZp5fuo
         /8ZsyVbkq6vSEGLkkZdMljCfq5vG/t/HwIMrKe2G4lJqtEHn+0raRVJuoKAkc8tYYWmS
         LjpxkrKHuHd/px9Kkj01ZS2IWxCzdNA/57W9x/khq21wBdcXP0P50GfXpY92QQVVHZaT
         O4yVOJEKT4NI50+5XU/tvSkNc6/fIA+CzwBWvEdFBwzUJvi9EJuddRJgrtOceTyhotKf
         wMCA==
X-Gm-Message-State: ALyK8tLAHQ3FutNg93/4iinf2qnAt51qr8NWssj7zeko7duyTX8qtSupZvUyZvvUBPpqsA==
X-Received: by 10.28.50.199 with SMTP id y190mr55677098wmy.61.1469694579626;
        Thu, 28 Jul 2016 01:29:39 -0700 (PDT)
Received: from android-c0c105534eccd9bf.default ([95.148.161.240])
        by smtp.gmail.com with ESMTPSA id e65sm11102776wmg.3.2016.07.28.01.29.38
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Thu, 28 Jul 2016 01:29:38 -0700 (PDT)
User-Agent: K-9 Mail for Android
In-Reply-To: <20160727224510.7B80C1A80358@dd1730.kasserver.com>
References: <CAEDdnaWVYbh=t1-bvDh9fixCoC7Be4asoEus=dRhGggx_9VLNg@mail.gmail.com> <CAEDdnaV8Qaoib6=v+NBCYYymtQQgyr28qryJ1dBHhVsXqWu5kA@mail.gmail.com> <4920f683-9a4d-7153-b157-a7d7ce8cbfe7@gmail.com> <933449d0-90c2-0d7a-cb80-a171289d8286@texthtml.net> <CAGovj_PiUjJmAncZjrtTiJmBTmuwA1MgfpjwpkKWdp_NHPekpw@mail.gmail.com> <CAEDdnaWEwNH-+kOxPk2GDqRod90kOqbT1yGHkOMqx5L9AXRaLA@mail.gmail.com> <CAEDdnaVrAvMHzj=bxhp9fOEFRgJ3rY9Tn9XP0oPfYZ0EU-RrjA@mail.gmail.com> <20160724145557.D52C31A80BBD@dd1730.kasserver.com> <6cfac572-9982-87f8-5a55-9213d978cde9@gmx.de> <20160724162103.BC5741A83512@dd1730.kasserver.com> <efdfdd99-77d9-f722-7000-13b4528dd77c@gmx.de> <20160724172131.675AC1A800B0@dd1730.kasserver.com> <9bc0db6a-fa19-5f87-0e82-3702dcb34254@gmx.de> <CAEDdnaWm-fUoBRdrce=DF8By6ybkTe_ca_niV2xdQp4yecU6Rw@mail.gmail.com> <CAEDdnaVx2Rx0pe+ZCzP=rpWW8OiQ73opmRhLCho_MwV1NRAiaw@mail.gmail.com><ebfd0e1b-049f-d38b-7de8-62a98c1c2376@gmail .com> <20160727224510.7B80C1A80358@dd1730.kasserver.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain;
 charset=UTF-8
Date: Thu, 28 Jul 2016 09:29:30 +0100
To: Thomas Bley <mails@thomasbley.de>,internals@lists.php.net
Message-ID: <9FA6BCF1-24E2-432A-B4FD-C1EC0B8C46AD@gmail.com>
Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping
From: rowan.collins@gmail.com (Rowan Collins)

On 27 July 2016 23:45:10 GMT+01:00, Thomas Bley <mails@thomasbley.de> wrote:
>> In many ways, defining a built-in function e($string, $context) would
>
>> fulfil most of the above.
>
>If things are so easy, why does so much code exist with XSS problems?

Firstly, because there is no such built in function. I don't mean "telling everyone to implement one", I mean it existing in every copy of PHP.

But secondly, because people are lazy, or misunderstand, or make mistakes when they're in a hurry. Your RFC isn't going to magically fix all those things.

It's possible to agree that something's a problem without agreeing the solution. You seem to be implying in a couple of mails that anyone who doesn't support your ideas is anti-security, which is patently not true.

Regards,

-- 
Rowan Collins
[IMSoP]