On Sun, 15 Feb 2004, Jan Lehnardt wrote: > On 8 Feb 2004, at 21:26, Rasmus Lerdorf wrote: > > Perhaps the real answer here is to turn on input filtering by default > > so > > we defeat XSS once and for all across the board. > > seems like nobody is interested. I'd like to see some sort > of discussion on this. How would an actual implementation > would or should look like in PHP 5? What are the benefits > (obvious, but still), what are the drawbacks (partly obvious, > but still)? Is it PHP's role to provide this kind of > XSS prevention built-in or is it sufficient to give the > possibility to add it by hand (like now)? What is > internals' opinion on this?
I don't think there is any question that PHP should play a role in helping people solve XSS which is why I added it to PHP5. However, as it is, the average person is not going to use it since it requires implementing the security policy in C. Implementation-wise we could go all out and break everything. Add a striptags-like filter to be applied to all remote input data and have an access function that lets you get the raw data. So something like: input data POST data foo : Hi <b>[EMAIL PROTECTED]</b> what you see in $_POST['foo'] : Hi [EMAIL PROTECTED] get_raw_data(POST, 'foo') : Hi <b>[EMAIL PROTECTED]</b> get_raw_data(POST, 'foo', MAIL_FILTER): [EMAIL PROTECTED] with various other filters possible along with user-supplied ones. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
