PHP Escaper RFC: Consistent Escaping Functionality For Killing XSS
A short time ago today, I submitted a PHP RFC for discussion which proposes adding an SPL Escaper class and, quite possibly, a related set of functions dedicated to escaping data for output to HTML/XML to PHP.
Programmers would have one perfect option that clears up the confusion, ignorance and poor practices that are evident throughout PHP’s community.
You’d just have to remember to use it ;).
Zend Framework 2.0 and Symfony 2’s Twig are already using the userland version of this RFC written in PHP. That’s great if you use those frameworks. Everyone else, including those with far less awareness of good security practices, are better off with a faster core PHP implementation which can be used by every framework, library and application with minimum effort. Let’s make escaping the right way easy.