On Wed, Oct 25, 2006 at 08:30:45AM -0600, Philip Guenther wrote:
> On 10/25/06, Joachim Schipper <[EMAIL PROTECTED]> wrote:
> ...
> >Just a half-baked thought, but escaping any non-constant expression
> >(i.e., actual variable, not fixed string) passed to the browser or a
> >database would go a long way toward solving most problems.
>
> That would only work if:
> a) it's unambiguous how the string will be used, so that the the correct
> quoting/encoding rules can be selected, and
> b) you never need nested encodings.
>
> ...
> >$hello = "<Hello World>";
> >echo "<Hello World> ", $hello;
> >
> >could produce
> ><Hello World> <Hello World>
>
> So what would this ouput?
> echo "<a href=\"/cgi/foo?", $hello, "\">", $hello, "</a>"
<a href="/cgi/foo?<Hello World>"><Hello World></a>,
obviously, which doesn't work. The point is not so much that it is more
convenient, although it may be, but that it fails in a way that is less
likely to cause problems (this is a thoroughly broken link;
<a href="/cgi/goo?"><script language="Javascript" alert("Y00 h4v3 b33n
pwn3d!");></script><Hello World>
is far more dangerous).
So, b) is solved by letting the programmer override the default; I don't
see how a) is a problem, as this should be decided at echo() time. (This
could be implemented as having echo call a 'printHTML' method on each
argument, or somesuch.)
> ...and if the answer is
> <a href="/cgi/foo?%3CHello%32World%3E"><Hello World></a>
>
> then try this:
> echo "<a href=\"/cgi/foo?", $hello, "\">http://server/cgi/foo?";,
> $hello, "</a>"
>
> and think about what the goal of that is...
No, trying to decide whether or not to URL-encode is far too much magic
for my liking. For exactly this sort of reason, although this would
actually work if watching for <a> tags.
Not that I'm sure this is actually a good idea, but this would make it
harder for non-programmers, and even for programmers, to make certain
common errors.
Joachim
