PHP, Zend Framework and Other Crazy Stuff
PHP Escaper RFC: Consistent Escaping Functionality For Killing XSS
The Incredible Hulk (Photo credit: Boogeyman13)
A short time ago today, I submitted a PHP RFC for discussion which proposes adding an SPL Escaper class and, quite possibly, a related set of functions dedicated to escaping data for output to HTML/XML to PHP.
https://wiki.php.net/rfc/escaper
The RFC itself should be a good read if you want to understand why I’m proposing this but the basics are quite simple. Cross-Site Scripting (XSS) is one of the two most common security vulnerabilities in web applications – the other being SQL Injection. Despite this, PHP’s offering of escaping functions is extremely limited. We can escape HTML body output with htmlspecialchars() but this still requires a wrapper function to perfect its security which most programmers don’t bother using. Javascript and CSS escaping is not implemented anywhere in PHP. In fact, there are many ways of escaping Javascript in userland code – I know of at least a dozen variations by now, all of them wrong.
The RFC resolves all of this by proposing the implementation of these escaping strategies in PHP’s core where they can be implemented just once for absolutely everybody in a consistently named fashion. No more userland functions of varying quality and efficacy. No more confusion over how to escape Javascript correctly. No more juggling iconv and mbstring to ensure escaping supports multiple character encodings. No more forgetting to set htmlspecialchars() third parameter because you bought into the Great Ascii Delusion!
Programmers would have one perfect option that clears up the confusion, ignorance and poor practices that are evident throughout PHP’s community.
You’d just have to remember to use it 
.
Zend Framework 2.0 and Symfony 2′s Twig are already using the userland version of this RFC written in PHP. That’s great if you use those frameworks. Everyone else, including those with far less awareness of good security practices, are better off with a faster core PHP implementation which can be used by every framework, library and application with minimum effort. Let’s make escaping the right way easy.
Related posts:
- Automatic Output Escaping In PHP And The Real Future Of Preventing Cross-Site Scripting (XSS)
- A Hitchhiker’s Guide to Cross-Site Scripting (XSS) in PHP (Part 1): How Not To Use Htmlspecialchars() For Output Escaping
- Escaping in ADOdb; does it exist?
- Filtering and Escaping Cheat Sheet
- PHP Security: Default Vulnerabilities, Security Omissions and Framing Programmers?
| Print article | This entry was posted by padraic on September 18, 2012 at 3:36 pm, and is filed under PHP General, PHP Security, Zend Framework. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
-
http://josephscott.org/ Joseph Scott
-
Robert
-
Anonymous
-
Anthony W
-
Susan
-
gbuss must
-
Yasmin Khan
-
Yasmin Khan
-
Yasmin Khan
-
http://blog.astrumfutura.com Pádraic Brady
-
chat
-
Jame
-
chinese lunar gender predictor calculator
-
Ethel
-
how to win a guy back after a break up
-
hpr1.com
-
hemorrhoid treatment center michigan
-
partypoker bonus code july
-
best spyware remover yahoo
-
visit the following internet page
-
just click the up coming post
-
how to live with herpes simplex
-
dkny glasses nose pads
