Hi Andrey, On Wed, Jun 24, 2015 at 6:20 PM, Andrey Andreev <n...@devilix.net> wrote:
> On Wed, Jun 24, 2015 at 5:49 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > > Hi Xinchen, > > > > On Wed, Jun 24, 2015 at 11:42 AM, Xinchen Hui <larue...@php.net> wrote: > > > >> and for the "age" usage you replied in github, I think the author of > >> such codes should be aware, if it's only number, then instead of > >> htmlespcicalchars($age), he should use echo $age directly... which is > >> more faster. > >> > > > > To build secure apps, users MUST escape everything for the context by > > _default_. > > Selective escaping is the cause of injection vulnerability especially > with > > language like > > PHP. > > > > Principle is "Don't think, escape all (for the context)". > > > > The key word here is "context" ... you know that there's nothing to > escape for an integer, because the type is your context. > > Selective escaping isn't a problem by itself, but that many people use > a blacklist approach instead of a whitelist one; and you can only fix > that with education. Right and agree. Selective escaping isn't a problem by itself, but people do mistake, make wrong assumptions, use wrong blacklist approach. The same variable can be generated by different code path/source. It could be very hard to assure a variable is really a int/float without validation. If one would like to make sure what a variable is and skip escaping, they need something like <td><?php echo is_numeric($var) ? $var : htmlspecialchars($var) ?></td> It's much easier with unconditional escape everywhere like <td><?php echo htmlspecialchars($var) ?><td> if htmlspecialchars() is fast enough for int/float. (I'm not sure which one is faster) One example is SQLite that making sure variable type could be difficult. SQLite can store string _regardless_ of type definition. If developers add SQLite support, in addition to MySQL/PostgreSQL, they may create attack vector if they don't escape unconditionally. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net