I suppose I could munge with the apache tables directly in a hook before the data is read by the standard treat_data hook, although for post data I am not sure I have any way to get in there before the ap_get_client_block() call and change what data ap_get_client_block() is going to see.
I don't think there's a way to do that with Apache 1.x. Would mod_security (http://www.webkreator.com/mod_security/) solve your problem? It is an Apache module that sits between the browser and the script, watching the data flowing by (I patch the core Apache engine to get to the POST data). I am not changing the data at the moment, but was planning to introduce the feature some time in the future.
The main goal here, in case it wasn't obvious, is to prevent
cross-site-scripting problems by forcing all user-originating data to be
cleaned automatically and providing a hoop to jump through in case the
developer really does want the raw uncleaned data. It isn't something
that belongs in PHP directly as every site that would be interested in
this would likely have different security policies, but I do think a general hook is something that would be useful to all of PHP.
I cannot agree more. There is only so much you can do outside the PHP (as I do in mod_security). Bye, Ivan -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
