On Tue, 18 Sep 2012, Pádraic Brady wrote: > I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper. > The RFC is a proposal to implement a standardised means of escaping > data which is being output into XML/HTML. > > Cross-Site Scripting remains one of the most common vulnerabilities in > web applications and there is a continued lack of understanding > surrounding how to properly escape data. To try and offset this, I've > written articles, attempted to raise awareness and wrote the > Zend\Escaper class for Zend Framework. Symfony 2's Twig has since > adopted similar measures in line with its own focus on security. > > That's all. The RFC should be self-explanatory and feel free to pepper > me with questions. As the RFC notes, I'm obviously not a C programmer > so I'm reliant on finding a volunteer who's willing to take this one > under their wing (or into their basement - whichever works). > > https://wiki.php.net/rfc/escaper
I understand that this is really beneficial to have, but, I wonder, why can't this be a composer-installable class, implemented in PHP? It solves the issue that you need to find a volunteer, as well as that updating it is a lot easier, and, you don't have to rely on shared hosters having it enabled. I realize that you want to have this generally available, but for that we have ext/filter - which is not really used too much I *think*. Why would this be different? IMO, we should make a composer installable package for this, and then litter all our escaping related document pages with links to this new package. cheers, Derick -- http://derickrethans.nl | http://xdebug.org Like Xdebug? Consider a donation: http://xdebug.org/donate.php twitter: @derickr and @xdebug Posted with an email client that doesn't mangle email: alpine
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
