Re: [PHP-DEV] New escaped output operator

Lester Caine schrieb am So., 19. Juni 2016, 22:03: > On 19/06/16 19:33, Михаил Востриков wrote: > > Lester > > > >> > there is NO need to simply slap htmlspecialchars() onto > >> > properly built data > > There are many cases when user data can contain quotes or other html > > entities. > > > >

Re: [PHP-DEV] New escaped output operator

Davey, could you give some example? As I see in this discussion, all specific use cases are associated with output to JS or URL context. But this is not a majority of use cases. Also, html escaping should not be used here, json_encode() or urlencode() should be used instead. 2016-06-20 8:39 GMT+05

Re: [PHP-DEV] New escaped output operator

On Sun, Jun 19, 2016 at 8:30 PM, Walter Parker wrote: > Good, then we do agree, as what I said was what I DID NOT want to see in > the documentation. > > This should be documented as shortcut for ?>. It should be further pointed out that while this will be useful in > catching many XSS and other

Re: [PHP-DEV] New escaped output operator

Good, then we do agree, as what I said was what I DID NOT want to see in the documentation. This should be documented as shortcut for . It should be further pointed out that while this will be useful in catching many XSS and other HTML issues, it will not catch all of them, so care and attention t

Re: [PHP-DEV] New escaped output operator

> "Use ': > >> >> > where getting it 90% correct is worse that not doing anything at all. >> > Things like this will cause people to be blindsided when the uncaught >> escapes >> > cause the next major security problem. >> >> Why do you think so? What real problems can happen if there will be a >>

Re: [PHP-DEV] New escaped output operator

you can never avoid people writing things incorrectly, just look at code using addslashes() instead of mysql_real_escape_string() ... Regards Thomas Walter Parker wrote on 20.06.2016 01:41: >> >> >> >> > where getting it 90% correct is worse that not doing anything at all. >> > Things like this

Re: [PHP-DEV] New escaped output operator

> > > > > where getting it 90% correct is worse that not doing anything at all. > > Things like this will cause people to be blindsided when the uncaught > escapes > > cause the next major security problem. > > Why do you think so? What real problems can happen if there will be a > short operator f

Re: [PHP-DEV] [RFC] RNG fixes

On 6/19/16, 12:59 PM, "Fleshgrinder" wrote: >This matches Tom Worster's analysis of mt: it's just crap. :P Actually I satisfied myself that both MT19937 and PHP's mt_rand() produce good quality random variates and I posted the evidence behind the belief. I don't think being slow and inefficient

Re: [PHP-DEV] New escaped output operator

On 19/06/16 19:33, Михаил Востриков wrote: > Lester > >> > there is NO need to simply slap htmlspecialchars() onto >> > properly built data > There are many cases when user data can contain quotes or other html > entities. > > > // $book['title'] = 'When we say "Hello"'; > > > // $user['about_

[PHP-DEV] Re: [RFC] [VOTE] More precise float value

On Sun, Jun 12, 2016 at 7:54 PM, Jakub Zelenka wrote: > Hi, > > The vote for more precise float values is now open: > > https://wiki.php.net/rfc/precise_float_value#voting > > The vote ended and both proposals have been accepted. Cheers Jakub

Re: [PHP-DEV] New escaped output operator

On 19.06.2016 at 19:28, Scott Arciszewski wrote: > Further reading: > https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know Thanks! Minor issue: | If you failed to specify ENT_QUOTES and attacker simply needs to pass | " onload="malicious javascript c

Re: [PHP-DEV] New escaped output operator

Lester > there is NO need to simply slap htmlspecialchars() onto > properly built data There are many cases when user data can contain quotes or other html entities. // $book['title'] = 'When we say "Hello"'; // $user['about_me'] = 'I am a programmer. I like to write alert("xss") in "About me

Re: [PHP-DEV] [RFC] [VOTE] More precise float value

Le 12/06/2016 20:54, Jakub Zelenka a écrit : The vote for more precise float values is now open: https://wiki.php.net/rfc/precise_float_value#voting Hi, Not many of us at AFUP expressed their opinion on this RFC, but those who did were +1, if the only impact is on printing numbers, with no

Re: [PHP-DEV] New escaped output operator

>From your story Scott, it looks like the failure was bad input filtering, not input filtering in general. If sites are really trying to be secure, they should follow both Lester's and your ideas and filter on input and escape on output. Given your second link the better suggestion is to stop taki

Re: [PHP-DEV] New escaped output operator

On Sun, Jun 19, 2016 at 1:14 PM, Lester Caine wrote: > On 19/06/16 10:01, Marco Pivetta wrote: > > This basically means that you lack basic understanding of how escaping > and > > user input are to be handled. > > Most apps out there about getting a bunch of text from the user, then > > rendering

Re: [PHP-DEV] New escaped output operator

On 19/06/16 10:01, Marco Pivetta wrote: > This basically means that you lack basic understanding of how escaping and > user input are to be handled. > Most apps out there about getting a bunch of text from the user, then > rendering it somewhere else in the app. > Cleaning user input just leads to

Re: [PHP-DEV] [RFC] RNG fixes

On 6/19/2016 6:27 PM, Pierre Joye wrote: > I think I gave you plenty of valid usage of MT rand or rand in some > extends. > > And the argument about them being dangerous for crypto is the same for any > other functions. And right, this argument is invalid. > > We do not remove cars from the stree

Re: [PHP-DEV] New escaped output operator

Please give me RFC karma. My wiki account is "michael-vostrikov". I plan to create an RFC for this feature. 2016-06-19 21:09 GMT+05:00 Thomas Bley : > I think it's best to create a rfc and put it to vote: > https://wiki.php.net/rfc/howto > > Having I also think majority of use cases is json_enc

Re: [PHP-DEV] [RFC] Iterable

> On Jun 18, 2016, at 6:11 PM, Dan Ackroyd wrote: > > Hi Aaron, > >> does anyone have any further feedback on this proposal? > > What is the performance impact of the RFC on the standard performance > benchmarks? > > And can you comment on the performance of using iterable as a type for > par

Re: [PHP-DEV] [RFC] RNG fixes

On Jun 19, 2016 10:50 PM, "Fleshgrinder" wrote: > > On 6/17/2016 7:18 PM, Christoph Becker wrote: > > Consequently, we should remove rot13() as well, see > > . And we shouldn't stop there as > > include(_once), require(_once), file_get_contents() and readfile

Re: [PHP-DEV] New escaped output operator

I think it's best to create a rfc and put it to vote: https://wiki.php.net/rfc/howto Having Guys, wait please) I don't suggest escaping package for all contexts and > for all cases. This is not what I described in my first letter. My point is > that the main job of echo operator "" is output an

Re: [PHP-DEV] Throwing an Error for require expressions in PHP7.x

On 6/18/2016 2:29 PM, Niklas Keller wrote: > Which potential BC? The only thing is a catch all handler that has already > been adjusted to PHP 7. > > If you catch an exception you somehow promise to handle it. If you can't > handle it, you should rethrow it. > > I don't think there will be real i

Re: [PHP-DEV] [RFC] RNG fixes

On 6/17/2016 7:18 PM, Christoph Becker wrote: > Consequently, we should remove rot13() as well, see > . And we shouldn't stop there as > include(_once), require(_once), file_get_contents() and readfile() bear > the risk of file inclusion vulnerabilities … ;) >

[PHP-DEV] Send files in CURL from string

Hello! I have idea to make possible to send files with CURL from string. CURL library has few options to make it as easy as possible: CURLFORM_BUFFER, CURLFORM_BUFFERPTR, and CURLFORM_BUFFERLENGTH. But I got many problems with integration of this feature in current php curl file attachment design

[PHP-DEV] Re: Improve GD test suite

On 17.06.2016 at 15:54, Pierre Joye wrote: > The current testing code is under new bsd, so there is no license issue > here. Fine! > I plan to improve the current code to be more useful as well as adding > perceptual diff. My initial idea was to use pdiff. It is under gpl but as > it uses only f

Re: [PHP-DEV] New escaped output operator

> On 19 Jun 2016, at 7:57 PM, Rasmus Schultz wrote: > > I am well familiar with this approach, and it does not scale - not > only would you be aggressively loading every installed view-helper > anytime you render a view, you would even be loading them when you're > *not* rendering a view. > >

Re: [PHP-DEV] New escaped output operator

I am well familiar with this approach, and it does not scale - not only would you be aggressively loading every installed view-helper anytime you render a view, you would even be loading them when you're *not* rendering a view. I'm afraid the best we could do at this point, without changing the la

Re: [PHP-DEV] New escaped output operator

On 19 June 2016 at 11:34, Rasmus Schultz wrote: > > You can always add more functions to a namespace even spread accross > multiple files > > Same problem: no autoloading. > > You would have to add require_one statements - which, as said, is not > really possible with Composer packages... > > You

Re: [PHP-DEV] New escaped output operator

> Did you know that you can alias namespaces, too? Yes > You can always add more functions to a namespace even spread accross multiple > files Same problem: no autoloading. You would have to add require_one statements - which, as said, is not really possible with Composer packages... On Sun,

Re: [PHP-DEV] New escaped output operator

On 19 June 2016 at 10:56, Lester Caine wrote: > On 19/06/16 09:38, Михаил Востриков wrote: > > My point is > > that the main job of echo operator "" is output an unknown value > from > > database to an HTML environment. So in all this places we should > copy-pase > > the call of htmlspecialchars(

Re: [PHP-DEV] New escaped output operator

On 19/06/16 09:38, Михаил Востриков wrote: > My point is > that the main job of echo operator "" is output an unknown value from > database to an HTML environment. So in all this places we should copy-pase > the call of htmlspecialchars() to prevent XSS. The majority of XSS problems are created be

Re: [PHP-DEV] New escaped output operator

Guys, wait please) I don't suggest escaping package for all contexts and for all cases. This is not what I described in my first letter. My point is that the main job of echo operator "" is output an unknown value from database to an HTML environment. So in all this places we should copy-pase the c

Re: [PHP-DEV] New escaped output operator

On 19 June 2016 at 09:53, Niklas Keller wrote: > Rasmus Schultz schrieb am Sa., 18. Juni 2016, 17:44: > > Did you know that you can alias namespaces, too? > > > > > You can always add more functions to a namespace even spread accross > multiple files. > Pro-userland: quick reminder that a `co

Re: [PHP-DEV] New escaped output operator

Rasmus Schultz schrieb am Sa., 18. Juni 2016, 17:44: > > Add a couple parens and its completely implementable in userland > > If we could autoload functions, I bet that's what everyone would be doing. > > At the moment, no one is able to commit to that pattern, because it > doesn't scale - you ca