Yep, I see where my suggestion for filter_var() isn't relevant. I use symfony2's ecaper in the PPI\Templating\ component, and really like it. Zend2's also seems pretty good.
It'd be nice to have this available as a ./ext/spl/ class or an independent extension (really needed for 1 class?). Cheers, Paul. On Tue, Sep 18, 2012 at 12:55 PM, Pádraic Brady <padraic.br...@gmail.com> wrote: > Hi Paul, > > The thing is that filter_var() is strongly associated with input > sanitisation whereas Escaper addresses the other end of output. Also, > escaping is inextricably linked to character encoding - we can't run > into situations where the functions are specific to something like > UTF-8 when the character encodings used in real life are far more > diverse. Additionally, the RFC was an attempt to make escaping as > explicit and restrictive as possible - give a user too many options, > or too many dispersed units of functionality, and they'll invariably > confuse and misinterpret themselves to Hell ;). > > Note: There is a stack of folk, for example, who use the ext/filter > URL validator for HTTP validation - it also passes php:// and > javascript:// URLs. If we're not explicit, they won't ever notice when > they're doing it wrong. > > Paddy > > On Tue, Sep 18, 2012 at 12:34 PM, Paul Dragoonis <dragoo...@gmail.com> wrote: >> On Tue, Sep 18, 2012 at 12:32 PM, Paul Dragoonis <dragoo...@gmail.com> wrote: >>> Hi Paddy, >>> >>> Couldn't this just be a new option for the filter_var() function? >>> >>> $clean = filter_var($_POST['someVar'], XSS_CLEAN); >> >> I see from your RFC that you have a bunch of functions, I believe all >> these could be options to filter_var, ie.: FILTER_ESCAPE_[URL, JS, >> CSS, HTMLATTR]. >> >> - Paul. >> >>> >>> - Paul. >>> >>> On Tue, Sep 18, 2012 at 12:30 PM, Pádraic Brady <padraic.br...@gmail.com> >>> wrote: >>>> Hi all, >>>> >>>> I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper. >>>> The RFC is a proposal to implement a standardised means of escaping >>>> data which is being output into XML/HTML. >>>> >>>> Cross-Site Scripting remains one of the most common vulnerabilities in >>>> web applications and there is a continued lack of understanding >>>> surrounding how to properly escape data. To try and offset this, I've >>>> written articles, attempted to raise awareness and wrote the >>>> Zend\Escaper class for Zend Framework. Symfony 2's Twig has since >>>> adopted similar measures in line with its own focus on security. >>>> >>>> That's all. The RFC should be self-explanatory and feel free to pepper >>>> me with questions. As the RFC notes, I'm obviously not a C programmer >>>> so I'm reliant on finding a volunteer who's willing to take this one >>>> under their wing (or into their basement - whichever works). >>>> >>>> https://wiki.php.net/rfc/escaper >>>> >>>> Best regards, >>>> Paddy >>>> >>>> -- >>>> Pádraic Brady >>>> >>>> http://blog.astrumfutura.com >>>> http://www.survivethedeepend.com >>>> Zend Framework Community Review Team >>>> >>>> -- >>>> PHP Internals - PHP Runtime Development Mailing List >>>> To unsubscribe, visit: http://www.php.net/unsub.php >>>> > > > > -- > Pádraic Brady > > http://blog.astrumfutura.com > http://www.survivethedeepend.com > Zend Framework Community Review Team -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
