Rasmus Lerdorf wrote: > The best you can > do is provide sensible default actions and make sure people realize that > it isn't the entire solution. But I don't think throwing our hands in > the air and doing nothing to help the developers is the answer just > because there are such contexts that can't be solved by filters.
I believe we're in agreement. But I don't know if there's any way to do this while not fundamentally redesigning PHP and changing every PHP tutorial on the Internet that says you should <?php echo $_GET['data'] ?> (a lot, apparently: http://www.google.com/search?q=%22echo+%24_GET%22 ). The users who use filter are the ones who actually know what the right thing is to do, and would benefit the least from this (although, as you mention, they would still benefit, as smart developers can still be careless!) But there's nothing stopping a newbie developer from dropping a few echo's except some sort of auditing strategy; discipline still plays a large role in it. Of course, adopting a less-obvious syntax for raw data will make it more evident when PHP's easy&insecure capabilities are used... -- Edward Z. Yang GnuPG: 0x869C48DA HTML Purifier <http://htmlpurifier.org> Anti-XSS Filter [[ 3FA8 E9A9 7385 B691 A6FC B3CB A933 BE7D 869C 48DA ]] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
