On 19 June 2016 at 10:56, Lester Caine <les...@lsces.co.uk> wrote: > On 19/06/16 09:38, Михаил Востриков wrote: > > My point is > > that the main job of echo operator "<?= ?>" is output an unknown value > from > > database to an HTML environment. So in all this places we should > copy-pase > > the call of htmlspecialchars() to prevent XSS. > > The majority of XSS problems are created because the free format input > INTO the application are not correctly handled. Simply banging > htmlspecialchars() around totally unmanaged text is NOT the solution, > and handling the correct filtering of the inputs is where this should be > handled. > > I'm sure all of you see various attempts at XSS and SQL injections in > your log files. About 20% of my overnight traffic is people trying to > 'get in' but because I do not allow raw text to get through all it > results in is errors in the log files. > > The packages that we have had problems cleaning up have tried using the > 'clean the output' approach, but this STILL left holes which can only be > fixed by cleaning the input ... >
This basically means that you lack basic understanding of how escaping and user input are to be handled. Most apps out there about getting a bunch of text from the user, then rendering it somewhere else in the app. Cleaning user input just leads to frustration and a big mess in most scenarios, which is why we're all talking about escaping output instead. This is not "cleaning" either, it's escaping, which is a non-destructive and reversible operation (which is why it works so well). Marco Pivetta http://twitter.com/Ocramius http://ocramius.github.com/
