>Finally, proposed solution seems to be the best one, with the current >Zend_View design, but it's wrong to thing that you rise level of >security in your application; the level is still same as a before.
I have to disagree - simply by removing the need to manually escape everything removes the human factor entirely. Sure, your JSON might not be escaped correctly by default and break functionality (you should have tests to detect that so it won't go unnoticed), but missing that in your code is a lot better than the current system where you could miss a simple HTML escape and throw the application wide open to an XSS attack. Auto-escaping while imperfect does lower your risk of falling afoul of XSS. The more complex and involved your views are, the more likely human error will play a factor, and the more valuable a poka-yoke system becomes. Pádraic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com OpenID Europe Foundation Irish Representative ________________________________ From: Ondrej Ivanič <ondrej.iva...@gmail.com> To: fw-general@lists.zend.com Sent: Wednesday, July 15, 2009 1:09:53 AM Subject: Re: [fw-general] XSS Prevention with Zend Framework Hi On Wed, Jul 15, 2009 at 2:39 AM, Matthew Weier O'Phinney<matt...@zend.com> wrote: > > Within your view, you, the developer, know your context, so it's up to > you to define the escaping mechanism. We're just going to provide a sane > default for the 80/20 use case. > 80/20 is a nice rule but not for security. I went through this way few years ago and as you mention it was so convenient to don't care in 80% of cases but the rest was pain in the ass. The setEscape() method doesn't help too much when you have to mix css/js/html code in a single phtml file. I believe that first set of message to this list will ask questions like this: - how to to turn of automatic escaping - why my Javascript doesn't work ... Finally, proposed solution seems to be the best one, with the current Zend_View design, but it's wrong to thing that you rise level of security in your application; the level is still same as a before. -- Ondrej Ivanic (ondrej.iva...@gmail.com)
