hi Pádraic! On Tue, Sep 18, 2012 at 1:30 PM, Pádraic Brady <padraic.br...@gmail.com> wrote: > Hi all, > > I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper. > The RFC is a proposal to implement a standardised means of escaping > data which is being output into XML/HTML. > > Cross-Site Scripting remains one of the most common vulnerabilities in > web applications and there is a continued lack of understanding > surrounding how to properly escape data. To try and offset this, I've > written articles, attempted to raise awareness and wrote the > Zend\Escaper class for Zend Framework. Symfony 2's Twig has since > adopted similar measures in line with its own focus on security. > > That's all. The RFC should be self-explanatory and feel free to pepper > me with questions. As the RFC notes, I'm obviously not a C programmer > so I'm reliant on finding a volunteer who's willing to take this one > under their wing (or into their basement - whichever works). > > https://wiki.php.net/rfc/escaper
Like the idea while I have to sit on it a bit to see the possible pitfalls :) However I am really not a fan of using a class as namespace. All these methods have nothing in common but what they do, they all treat different inputs, may have different options, etc. Functions could work just as fine for that, or if necessary (see my ajaxmin ext) create a class per input and add the necessary properties for the options. That could be much cleaner and forward compatible. Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
