Hello, I guess Ondrej was just pointing out, that escaping itself is a little bit more complex than just htmlspecialchars-ing the data. And *automaticaly impossible* with default ZF view design (phtml templates) in a meaning that it still requires human to change the escaping method based on the context (html, js, css, xml...)
Regards, Marian P.S.: ahoj ondrej On Tue, Jul 14, 2009 at 1:50 PM, Pádraic Brady<padraic.br...@yahoo.com> wrote: > PHP's magic_quotes was a mistake because it failed to do anything useful and > instead created more problems that lead to greater insecurity and > uncertainty instead. Automatic escaping with ZF 2.0 is anything but - it is > a simple concept whereby html escaping is applied by default to any request > for a view variable (one can assume most views are HTML). If you wish not to > have this escaping applied, there will be a similar method for retrieving > the raw value of any variable (then you can do the XML/JSON thing). > > The security principle involved is "never trust a human" ;). People forget > to manually escape variables - especially when escaping has it's own method > which is tortuous to use everywhere on everything it's needed on - it also > looks ugly cluttering up my view templates. All you need is someone to get > lazy or forget to use it and the application is thrown into risk. Then you > have the smarties who like to use it only where they believe it's necessary > - a silly presumption since any change could make put any view variable into > a scope where escaping is essential. The ZF 2.0 default behaviour is > therefore a poka-yoke (from Japanese - refers to any system in a process > which helps an operator avoid mistakes due to human error). Since we can't > trust humans - we won't. We'll escape everything and then if you want > unescaped values you will need to use an obvious "raw" retrieval method > which can be spotted by anyone, requires deliberate action to use, and can > be double-checked by peers. > > How is that even remotely like the magic_quotes problem? > > Pádraic Brady > > http://blog.astrumfutura.com > http://www.survivethedeepend.com > OpenID Europe Foundation Irish Representative > > > ________________________________ > From: Ondrej Ivanič <ondrej.iva...@gmail.com> > To: fw-general@lists.zend.com > Sent: Tuesday, July 14, 2009 6:47:19 AM > Subject: Re: [fw-general] XSS Prevention with Zend Framework > > Hi > >> fixing that...), but I will note: Starting with 2.0, escaping will be >> the default when retrieving variables from the view object, and you will >> need to request the raw value explicitly if you need it. This is a > > Thats sounds like a ZF version of magic_quotes... How do you want to > deal with different escaping in javascript, css, html, xml? View > script could be mix of anything i.e: > > <?php $this->var = '1/2"' ?> > <p onclick="alert("<?php echo $this->var; ?>")"><?php echo > $this->var; ?></p> > > <script> > document.title = "<?php echo $this->var; ?>" > </script> > > and the correct output is: > > <p onclick="alert("1\/2\"")">1/2"</p> > <script> > document.title = "1\/2\""; > </script> > > For a proper automatic escaping you need an information about context > which is very hard (impossible) to get now... > > html: htmlspecialchars($s, ENT_QUOTES) > xml: htmlspecialchars(preg_replace('#[\x00-\x08\x0B\x0C\x0E-\x1F]+#', > '', $s), ENT_QUOTES) > css: addcslashes($s, "\x00..\x2C./:;<=>?...@[\\]^`{|}~") > ccs inside html attributes: htmlspecialchars(addcslashes($s, > "\x00..\x2C./:;<=>?...@[\\]^`{|}~"), ENT_QUOTES) > javascript: json_encode($s) > js inside html attributes: htmlspecialchars(json_encode($s), ENT_QUOTES); > > -- > Ondrej Ivanic > (ondrej.iva...@gmail.com) >
