Hi Paul, The thing is that filter_var() is strongly associated with input sanitisation whereas Escaper addresses the other end of output. Also, escaping is inextricably linked to character encoding - we can't run into situations where the functions are specific to something like UTF-8 when the character encodings used in real life are far more diverse. Additionally, the RFC was an attempt to make escaping as explicit and restrictive as possible - give a user too many options, or too many dispersed units of functionality, and they'll invariably confuse and misinterpret themselves to Hell ;).
Note: There is a stack of folk, for example, who use the ext/filter URL validator for HTTP validation - it also passes php:// and javascript:// URLs. If we're not explicit, they won't ever notice when they're doing it wrong. Paddy On Tue, Sep 18, 2012 at 12:34 PM, Paul Dragoonis <dragoo...@gmail.com> wrote: > On Tue, Sep 18, 2012 at 12:32 PM, Paul Dragoonis <dragoo...@gmail.com> wrote: >> Hi Paddy, >> >> Couldn't this just be a new option for the filter_var() function? >> >> $clean = filter_var($_POST['someVar'], XSS_CLEAN); > > I see from your RFC that you have a bunch of functions, I believe all > these could be options to filter_var, ie.: FILTER_ESCAPE_[URL, JS, > CSS, HTMLATTR]. > > - Paul. > >> >> - Paul. >> >> On Tue, Sep 18, 2012 at 12:30 PM, Pádraic Brady <padraic.br...@gmail.com> >> wrote: >>> Hi all, >>> >>> I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper. >>> The RFC is a proposal to implement a standardised means of escaping >>> data which is being output into XML/HTML. >>> >>> Cross-Site Scripting remains one of the most common vulnerabilities in >>> web applications and there is a continued lack of understanding >>> surrounding how to properly escape data. To try and offset this, I've >>> written articles, attempted to raise awareness and wrote the >>> Zend\Escaper class for Zend Framework. Symfony 2's Twig has since >>> adopted similar measures in line with its own focus on security. >>> >>> That's all. The RFC should be self-explanatory and feel free to pepper >>> me with questions. As the RFC notes, I'm obviously not a C programmer >>> so I'm reliant on finding a volunteer who's willing to take this one >>> under their wing (or into their basement - whichever works). >>> >>> https://wiki.php.net/rfc/escaper >>> >>> Best regards, >>> Paddy >>> >>> -- >>> Pádraic Brady >>> >>> http://blog.astrumfutura.com >>> http://www.survivethedeepend.com >>> Zend Framework Community Review Team >>> >>> -- >>> PHP Internals - PHP Runtime Development Mailing List >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> -- Pádraic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team -- Pádraic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
