Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94760 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37636 invoked from network); 31 Jul 2016 05:16:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Jul 2016 05:16:34 -0000 Authentication-Results: pb1.pair.com header.from=michael.vostrikov@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=michael.vostrikov@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.182 as permitted sender) X-PHP-List-Original-Sender: michael.vostrikov@gmail.com X-Host-Fingerprint: 209.85.216.182 mail-qt0-f182.google.com Received: from [209.85.216.182] ([209.85.216.182:34565] helo=mail-qt0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 8B/85-22978-1B98D975 for ; Sun, 31 Jul 2016 01:16:34 -0400 Received: by mail-qt0-f182.google.com with SMTP id u25so88524863qtb.1 for ; Sat, 30 Jul 2016 22:16:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:cc; bh=tjrkLP3zWTfjQaR2OQ8ALG9O9jakC4EFS64GTUR5qT8=; b=B8SKvV6DN3xMZr3u6NgGbhMU8Q9RkhTyMCl3yYeUZ4blHQ1suVrMywyh90KMqyPMA8 C1jXf4yt8OahHPIkPGfd9omDDPNu8adaLuLRjlgnd+NEfSnFMNfbcRkrt1fWybg0zWtO Z+jf9esJdsRlbgnrZu3goUOgrQnr2Hhl44x6sGrSq37/BXo66eSBBqLr9xhYGg/LUlnX hoqv7d0mTi5rV/gjHF37U2zaKEWDDfkQoJL8nt86mFY+qxavfTJATzgnEPhhNQUl+DXO 0dNUP2J6sHYs1ywDuH8WSufG6o6WLsoFLficygFH+cuORZ09Nt+/nCNmbX+U28/w1OJK srbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:cc; bh=tjrkLP3zWTfjQaR2OQ8ALG9O9jakC4EFS64GTUR5qT8=; b=VCTeNwTCP7AbUK+w9Yo52PsglwvhIyzCK6tXKZYnJseuMXehWGyF5RWDbIQVZrXPV4 dPzBWmJeLCqlOLOzWY3PUoqJpDcTo5lAFrQEmb9j1NEUQL7QgvIFN/1AfE7FQQpSa/8/ JrZ8fAc0sijgL/X/r99fG/QnmH0ecgbqDX4lPv2iMqCSDqrxn5W8J5HDwLvV8BgievNX YgVufkbwKwNb/xfAzvEy/+NytK6ckQwInrHvkgeNQYPgbtzF80UXbjbgUJu0RP5jH3aQ AB+86iDp52ShotzJHXQhgKIatu0PDJ5HHDt1am86g2rzjEuJpBEQJKBCUTgIXbHi0Qhn Ll9A== X-Gm-Message-State: AEkoouvPYndZFdTwnVjKTseCICQ0jH0/R7k1fyVEray/TFcAzpXuAsqkF5QWGWzr64XMl927eNsFPv0kGwqbAA== X-Received: by 10.237.59.161 with SMTP id r30mr74911661qte.22.1469942191069; Sat, 30 Jul 2016 22:16:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.55.189.135 with HTTP; Sat, 30 Jul 2016 22:16:29 -0700 (PDT) In-Reply-To: References: <20160724145557.D52C31A80BBD@dd1730.kasserver.com> <6cfac572-9982-87f8-5a55-9213d978cde9@gmx.de> <20160724162103.BC5741A83512@dd1730.kasserver.com> <20160724172131.675AC1A800B0@dd1730.kasserver.com> <9bc0db6a-fa19-5f87-0e82-3702dcb34254@gmx.de> <20160727224510.7B80C1A80358@dd1730.kasserver.com> <20160728093917.5DCC51A82392@dd1730.kasserver.com> Date: Sun, 31 Jul 2016 10:16:29 +0500 Message-ID: Cc: PHP internals Content-Type: multipart/alternative; boundary=94eb2c1922a623bb650538e7961d Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping From: michael.vostrikov@gmail.com (Michael Vostrikov) --94eb2c1922a623bb650538e7961d Content-Type: text/plain; charset=UTF-8 2016-07-31 1:49 GMT+05:00 Reinis Rozitis : > From: Michael Vostrikov >> >> The problem is that these functions should be called everywhere manually, >> and there is no error when these functions are not called. >> And this RFC proposes a solution - call a function automatically. >> > > Though you can use pecl/taint for that. > If anything imo it would make more sense to propose/vote for such > functionality to be included in core. > How can I use it for that? alert("XSS");'; ?> The code does not procude any error messages. This extension works only for variables from GET, POST, COOKIE, this is not escaping of output data. --94eb2c1922a623bb650538e7961d--