PHP's magic_quotes was a mistake because it failed to do anything useful and instead created more problems that lead to greater insecurity and uncertainty instead. Automatic escaping with ZF 2.0 is anything but - it is a simple concept whereby html escaping is applied by default to any request for a view variable (one can assume most views are HTML). If you wish not to have this escaping applied, there will be a similar method for retrieving the raw value of any variable (then you can do the XML/JSON thing).
The security principle involved is "never trust a human" ;). People forget to manually escape variables - especially when escaping has it's own method which is tortuous to use everywhere on everything it's needed on - it also looks ugly cluttering up my view templates. All you need is someone to get lazy or forget to use it and the application is thrown into risk. Then you have the smarties who like to use it only where they believe it's necessary - a silly presumption since any change could make put any view variable into a scope where escaping is essential. The ZF 2.0 default behaviour is therefore a poka-yoke (from Japanese - refers to any system in a process which helps an operator avoid mistakes due to human error). Since we can't trust humans - we won't. We'll escape everything and then if you want unescaped values you will need to use an obvious "raw" retrieval method which can be spotted by anyone, requires deliberate action to use, and can be double-checked by peers. How is that even remotely like the magic_quotes problem? Pádraic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com OpenID Europe Foundation Irish Representative ________________________________ From: Ondrej Ivanič <ondrej.iva...@gmail.com> To: fw-general@lists.zend.com Sent: Tuesday, July 14, 2009 6:47:19 AM Subject: Re: [fw-general] XSS Prevention with Zend Framework Hi > fixing that...), but I will note: Starting with 2.0, escaping will be > the default when retrieving variables from the view object, and you will > need to request the raw value explicitly if you need it. This is a Thats sounds like a ZF version of magic_quotes... How do you want to deal with different escaping in javascript, css, html, xml? View script could be mix of anything i.e: <?php $this->var = '1/2"' ?> <p onclick="alert("<?php echo $this->var; ?>")"><?php echo $this->var; ?></p> <script> document.title = "<?php echo $this->var; ?>" </script> and the correct output is: <p onclick="alert("1\/2\"")">1/2"</p> <script> document.title = "1\/2\""; </script> For a proper automatic escaping you need an information about context which is very hard (impossible) to get now... html: htmlspecialchars($s, ENT_QUOTES) xml: htmlspecialchars(preg_replace('#[\x00-\x08\x0B\x0C\x0E-\x1F]+#', '', $s), ENT_QUOTES) css: addcslashes($s, "\x00..\x2C./:;<=>?...@[\\]^`{|}~") ccs inside html attributes: htmlspecialchars(addcslashes($s, "\x00..\x2C./:;<=>?...@[\\]^`{|}~"), ENT_QUOTES) javascript: json_encode($s) js inside html attributes: htmlspecialchars(json_encode($s), ENT_QUOTES); -- Ondrej Ivanic (ondrej.iva...@gmail.com)
