Hi Paddy, Couldn't this just be a new option for the filter_var() function?
$clean = filter_var($_POST['someVar'], XSS_CLEAN); - Paul. On Tue, Sep 18, 2012 at 12:30 PM, Pádraic Brady <padraic.br...@gmail.com> wrote: > Hi all, > > I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper. > The RFC is a proposal to implement a standardised means of escaping > data which is being output into XML/HTML. > > Cross-Site Scripting remains one of the most common vulnerabilities in > web applications and there is a continued lack of understanding > surrounding how to properly escape data. To try and offset this, I've > written articles, attempted to raise awareness and wrote the > Zend\Escaper class for Zend Framework. Symfony 2's Twig has since > adopted similar measures in line with its own focus on security. > > That's all. The RFC should be self-explanatory and feel free to pepper > me with questions. As the RFC notes, I'm obviously not a C programmer > so I'm reliant on finding a volunteer who's willing to take this one > under their wing (or into their basement - whichever works). > > https://wiki.php.net/rfc/escaper > > Best regards, > Paddy > > -- > Pádraic Brady > > http://blog.astrumfutura.com > http://www.survivethedeepend.com > Zend Framework Community Review Team > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
