Hello,

I guess Ondrej was just pointing out, that escaping itself is a little
bit more complex than just htmlspecialchars-ing the data. And
*automaticaly impossible* with default ZF view design (phtml
templates) in a meaning that it still requires human to change the
escaping method based on the context (html, js, css, xml...)

Regards,
Marian

P.S.: ahoj ondrej

On Tue, Jul 14, 2009 at 1:50 PM, Pádraic Brady<padraic.br...@yahoo.com> wrote:
> PHP's magic_quotes was a mistake because it failed to do anything useful and
> instead created more problems that lead to greater insecurity and
> uncertainty instead. Automatic escaping with ZF 2.0 is anything but - it is
> a simple concept whereby html escaping is applied by default to any request
> for a view variable (one can assume most views are HTML). If you wish not to
> have this escaping applied, there will be a similar method for retrieving
> the raw value of any variable (then you can do the XML/JSON thing).
>
> The security principle involved is "never trust a human" ;). People forget
> to manually escape variables - especially when escaping has it's own method
> which is tortuous to use everywhere on everything it's needed on - it also
> looks ugly cluttering up my view templates. All you need is someone to get
> lazy or forget to use it and the application is thrown into risk. Then you
> have the smarties who like to use it only where they believe it's necessary
> - a silly presumption since any change could make put any view variable into
> a scope where escaping is essential. The ZF 2.0 default behaviour is
> therefore a poka-yoke (from Japanese - refers to any system in a process
> which helps an operator avoid mistakes due to human error). Since we can't
> trust humans - we won't. We'll escape everything and then if you want
> unescaped values you will need to use an obvious "raw" retrieval method
> which can be spotted by anyone, requires deliberate action to use, and can
> be double-checked by peers.
>
> How is that even remotely like the magic_quotes problem?
>
> Pádraic Brady
>
> http://blog.astrumfutura.com
> http://www.survivethedeepend.com
> OpenID Europe Foundation Irish Representative
>
>
> ________________________________
> From: Ondrej Ivanič <ondrej.iva...@gmail.com>
> To: fw-general@lists.zend.com
> Sent: Tuesday, July 14, 2009 6:47:19 AM
> Subject: Re: [fw-general] XSS Prevention with Zend Framework
>
> Hi
>
>> fixing that...), but I will note: Starting with 2.0, escaping will be
>> the default when retrieving variables from the view object, and you will
>> need to request the raw value explicitly if you need it. This is a
>
> Thats sounds like a ZF version of magic_quotes... How do you want to
> deal with different escaping in javascript, css, html, xml? View
> script could be mix of anything i.e:
>
> <?php $this->var = '1/2"' ?>
> <p onclick="alert(&quot;<?php echo $this->var; ?>&quot;)"><?php echo
> $this->var; ?></p>
>
> <script>
> document.title = "<?php echo $this->var; ?>"
> </script>
>
> and the correct output is:
>
> <p onclick="alert(&quot;1\/2\&quot;&quot;)">1/2&quot;</p>
> <script>
> document.title = "1\/2\"";
> </script>
>
> For a proper automatic escaping you need an information about context
> which is very hard (impossible) to get now...
>
> html: htmlspecialchars($s, ENT_QUOTES)
> xml: htmlspecialchars(preg_replace('#[\x00-\x08\x0B\x0C\x0E-\x1F]+#',
> '', $s), ENT_QUOTES)
> css: addcslashes($s, "\x00..\x2C./:;<=>?...@[\\]^`{|}~")
> ccs inside html attributes: htmlspecialchars(addcslashes($s,
> "\x00..\x2C./:;<=>?...@[\\]^`{|}~"), ENT_QUOTES)
> javascript: json_encode($s)
> js inside html attributes: htmlspecialchars(json_encode($s),  ENT_QUOTES);
>
> --
> Ondrej Ivanic
> (ondrej.iva...@gmail.com)
>

Reply via email to