> My whole point here is identifying WHAT needs 'escaping'. You can't simply > 'escape' the output stream, you still want html tags to get out?
This problem is specific to YOU, because (as far as I understood your previous post) you decided to store big chunks of HTML in your data store. It is not a problem with this proposal, or a problem in general. > Perhaps HTMLPurifier > should be a requirement everywhere, but then you need to 'pre-process' the > content so as to allow through the 'text' that you want to display which may > well be an example of a XSS attack? You can only apply 'escape' to elements > that you have identified as needing it and need to let through those that do > not. No, it should not be a requirement. Most people inject directly into attributes or into tags in a template fashion, they don't have to parse their own output, because they generate it in a sensible fashion. > It is the 'filtering' out of the material that needs processing that is > the problem? And I have no doubt that someone will find a hole that allows > them to sneak past the filtering? Again, your problem, not one with the escape function proposal. Also again, may I direct you to the general user list, and maybe someone there will feel like helping you with how to parse your HTML blobs, since this really isn't the concern of internals. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
