Hi Stas, On Tue, Sep 18, 2012 at 5:56 PM, Stas Malyshev <smalys...@sugarcrm.com> wrote: > Hi! > >> The point of the RFC is to ensure a consistent API for escaping is >> available to all PHP programmers without resorting to userland > > I do not see why "without resorting to userland" is a worthy goal in > every case. It's like saying "I want to code in Python without ever > using import" or "I want to code in Perl without ever using CPAN". Makes > no sense, right? Why we should insist on this in PHP?
Programmers haven't figured out how to use the 1-2 covering functions that already exist and you expect them to do it in userland code? Maybe we should ditch json_encode() tomorrow. I can do it in userland code too. PHP does a LOT of things possible in userland code. The argument I made in the RFC boils down to simply giving programmers a helping hand. They are writing insecure code because PHP isn't fulfilling that need for one of the most serious security risks in PHP today. Surely that warrants action to serve programmers? >> solutions. Existing functions are widely misused, misconfigured or >> have builtin security issues yet are popularly advanced as "escaping" >> for XSS. > > Do you think your functions won't be misused, misconfigured and never > would have bugs? Exactly the same would happen. Having yet another API > doing the same as old API is not a solution. They have one configuration value. All other behaviour is fixed. How is this remotely similar to the "old API"? Misuse can be constrained to calling the wrong function and setting the wrong character encoding. That's 2 versus the list of flaws in htmlspecialchars() I blogged about (the link is in the RFC) and whatever might theoretically exist if PHP actually had Javascript and CSS options. > -- > Stanislav Malyshev, Software Architect > SugarCRM: http://www.sugarcrm.com/ > (408)454-6900 ext. 227 -- Pádraic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
