El 18/09/12 13:30, Pádraic Brady escribió: > Hi all, > > I've written an RFC for PHP over at: https://wiki.php.net/rfc/escaper. > The RFC is a proposal to implement a standardised means of escaping > data which is being output into XML/HTML. > > Cross-Site Scripting remains one of the most common vulnerabilities in > web applications and there is a continued lack of understanding > surrounding how to properly escape data. To try and offset this, I've > written articles, attempted to raise awareness and wrote the > Zend\Escaper class for Zend Framework. Symfony 2's Twig has since > adopted similar measures in line with its own focus on security. > > That's all. The RFC should be self-explanatory and feel free to pepper > me with questions. As the RFC notes, I'm obviously not a C programmer > so I'm reliant on finding a volunteer who's willing to take this one > under their wing (or into their basement - whichever works). > > https://wiki.php.net/rfc/escaper > > Best regards, > Paddy I'm fine with the concept, but I'm not sold on the interface. It should be really clear when each of them should be used.
escapeHtml() Ok, this is going to be used to show content inside a html document. escapeHtmlAttr() Use when using unquoted html attributes, otherwise use html escaping. When was the last time I saw an unquotted attribute with user-provided content? I think it should be replaced by a quoteHtmlAttr() function which properly escapes the content and adds the quotes for you (or it might skip them if it determines it's not needed in this case). escapeJs() Escape javascript... but inside <script> tags, I guess? So it's not to be used for dynamically generated javascript. Not so clear. escapeCss() I'm not even sure in which cases would this be needed. Standalone CSS, inside a <style> tag, as style="" attribute? escapeUrl() "It is included primarily for consistency". When do I need to use escapeUrl and when escapeHtml? What if it's an url inside a css tag inside a html document? It makes things more confusing, so I'd remove it. It should be clear what you are passing to that function and in which context it expects you to leave the output. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
