Hi.

there was a bug yesterday:
http://bugs.php.net/bug.php?id=54584
which made me to realize that we don't have any documentation about security
issues like XSS, CSRS, and stuff (the general OWASP Top Ten).
I think that we should extend the current security documentation at
http://php.net/manual/en/security.php and we should link this section in the
other part of the docs where it is relevant.
For example the reserved variables section should link the security
implications of the the user submitted data.
Another thing that I would like to discuss: what should be the scope of the
security docs?
My personal opinion is that we should have a complete documentation about
the general web related and the php specific security issues and there
mitigations.
So it should contain everything from best practices for filtering/stripping
html from user input, properly handling uploads, throught security related
configuration options, securing the web server itself(or at least linking
the relevant documentation from the vendors) like how to set up a an
mod_php/fastcgi/php-fpm installation from the security POV, chroot/jail,
etc.
I would happily contribute to such documentation, but first of all, I would
like to know what do you think about it.

Personally I would love the idea to have that kind of documentation in the
php manual, because it would have the greatest audience, if that isn't
viable, I would like to have a section in wiki.php.net, and link that from
the docs.

Tyrael

Reply via email to