On Tue, Sep 18, 2012 at 12:32 PM, Paul Dragoonis <dragoo...@gmail.com> wrote: > Hi Paddy, > > Couldn't this just be a new option for the filter_var() function? > > $clean = filter_var($_POST['someVar'], XSS_CLEAN);
I see from your RFC that you have a bunch of functions, I believe all these could be options to filter_var, ie.: FILTER_ESCAPE_[URL, JS, CSS, HTMLATTR]. - Paul. > > - Paul. > > On Tue, Sep 18, 2012 at 12:30 PM, Pádraic Brady <padraic.br...@gmail.com> > wrote: >> Hi all, >> >> I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper. >> The RFC is a proposal to implement a standardised means of escaping >> data which is being output into XML/HTML. >> >> Cross-Site Scripting remains one of the most common vulnerabilities in >> web applications and there is a continued lack of understanding >> surrounding how to properly escape data. To try and offset this, I've >> written articles, attempted to raise awareness and wrote the >> Zend\Escaper class for Zend Framework. Symfony 2's Twig has since >> adopted similar measures in line with its own focus on security. >> >> That's all. The RFC should be self-explanatory and feel free to pepper >> me with questions. As the RFC notes, I'm obviously not a C programmer >> so I'm reliant on finding a volunteer who's willing to take this one >> under their wing (or into their basement - whichever works). >> >> https://wiki.php.net/rfc/escaper >> >> Best regards, >> Paddy >> >> -- >> Pádraic Brady >> >> http://blog.astrumfutura.com >> http://www.survivethedeepend.com >> Zend Framework Community Review Team >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: http://www.php.net/unsub.php >> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
