On Tue, Sep 18, 2012 at 8:50 PM, Rasmus Lerdorf <ras...@lerdorf.com> wrote: > On 09/18/2012 03:46 PM, Pádraic Brady wrote: >> Bear in mind the RFC, in userland (and likely any PECL ext) implements >> the ESAPI rules. They've been hacked on a lot over the years which is >> why I made sure they were followed exactly. It's very unlikely that a >> browser bug could scupper these unless they allowed in more unencoded >> characters to be taken advantage of. There are benefits to reusing >> pre-peer review rules. > > Sure, but you have potential for buffer overflows, regex > backtrack/recursion issues and general programming errors when this > moves to C. I guarantee there will be dozens of bugs in the first > version no matter who writes it.
Hi Rasmus, The existing implementations at symfony\zend are working pretty well. They're using string manipulation and regex functions. If we port it to C, can't we still use the exact same functions that the PHP_FUNCTION() macros are calling to pretty much clone it. Would this minimise the amount of change (if any) ? - Paul > > -Rasmus > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
