>> Hi Steve,
>
> Who's he? :)
Everybody knows Steve! :P I know at least 10!
>> The ESAPI API uses encodeForHTML, encodeForCss, etc. We can name these
>> in a few different styles which would all be semantically correct but
>> my own sentiment is often to keep the naming simple.
>
> The naming is unclear just now though.
Than I suggest including "For" in all of them. escapeForHtml,
escapeForUrl, etc. That should clear it up somewhat that we're not
targeting whole blocks of HTML/JS/CSS.
>> For example, I'd prefer escapeForCss vs escapeCSSStringLiteral though
>> both would be valid English literal alternatives to escapeCss.
>
> You can't just have escapeForCSS, you need two functions: one for CSS
> identifier names (.identifier, #identifier, etc.), and one for CSS strings
> (background-image: url('string'); or content: 'string')
Not really, the target here is breaking out of a CSS or HTML context.
If you allow users to alter identifiers or properties than escaping is
just wrong - you should be sanitising instead to make sure the CSS is
still well formed and agrees to a whitelist of allowed ids/props.
> Also, escapeForJS isn't very clear, you should explicitly specify you're
> escaping a string of text for a JavaScript string literal. I don't think you
> can escape JS identifier names.
JS is purely for literal values and not any JS variables/statements or
anything else. Those can never ever be subject to any form of
untrusted input.
Paddy
--
Pádraic Brady
http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
