I am beginning to see this as another 'date/time' type of problem. Adopt the
standard that everything internally is UTC and many of the problems go away.
I can remember discussions on unicode and PHP6. PHP5 was just being RC'ed with
tools for handling unicode (mbstring) but there was no coherence on how to
handle things ... as there still isn't. I was hoping that PHP6 would be
internally unicode, and then one only had to ensure that the interfaces
correctly coded to and from unicode. Internally everything is easy because there
is no 'encoding problems'.
'Content' going in and out needs to be correctly processed and that is the base
of this. The bulk of my own 'persistent data' is content such as 'wiki', blog',
'forum posts', 'articles' and so on. Others will most likely say that I should
not be using 'html' as the storage medium, but it does provide a flexible
standard format and 'ckeditor' provides a generic editor for all content. The
problem of cause is that we are storing html tags within the data so 'crude'
filtering using htmlspecialchars is not practical. The current process sanitizes
data input for normal users, but still allows 'admin' users direct source access
which is still a security risk, but we have to trust someone.
My point here is that much of what is being discussed on 'a core anti-XSS
escaping class' is missing the some of the basic problems and 'filtering' is my
own take on the correct way of managing this! Many of the recent XSS holes have
simply been the likes of the 'highlight' function is smarty which had no
filtering at all ... and just needed sanitizing before anything was done with
it. This 'class' is purely targeting a small area of the problem and repackaging
functions which still need the user to understand which 'filter' to apply to
which string? If it expected to simply apply a process to the output which will
'protect users' then it can never succeed. Te users need to understand just
where to 'filter' the strings they are using and what filters to use.
Now if what is proposed is a 'class' that will decompose an html page with
embeded css and js and magically remove any XSS injection then it might be
useful, and I think the creator of that would be in line for a Nobel prise?
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
