Julien, Implementing this to Core may be very nice, but as well very hard to do. > String escaping is a pain to implement in C. One would tell : once > it's done, it's OK, but unfortunately, that's not the case, as XSS > rules evolve throught time as the attacks evolve. > > See the escape modules web servers tried to push (mod_security and its > counterpart in Nginx), its PITA to maintain if you want something that > covers a large area. > By the way : why not let the web server do this as nowadays, they seem > to manage that problem ? >
As Padraic indicated, this is solving a different problem than the web server even can. This has to be solved at the application layer (it physically can't be sovled above it)... As far as implementation pains, if I was to support this, I would want to see something like the ESAPI (Enterprise Security API - by OWASP) used for the actual implementation: http://code.google.com/p/owasp-esapi-c/ Perhaps providing a thin wrapper around it, but I wouldn't go much further than that. And I don't think I'd support our own implementation (not using an established C library)... Anthony
