The Incredible Hulk

The Incredible Hulk (Photo credit: Boogeyman13)

A short time ago today, I submitted a PHP RFC for discussion which proposes adding an SPL Escaper class and, quite possibly, a related set of functions dedicated to escaping data for output to HTML/XML to PHP.

https://wiki.php.net/rfc/escaper

The RFC itself should be a good read if you want to understand why I’m proposing this but the basics are quite simple. Cross-Site Scripting (XSS) is one of the two most common security vulnerabilities in web applications – the other being SQL Injection. Despite this, PHP’s offering of escaping functions is extremely limited. We can escape HTML body output with htmlspecialchars() but this still requires a wrapper function to perfect its security which most programmers don’t bother using. Javascript and CSS escaping is not implemented anywhere in PHP. In fact, there are many ways of escaping Javascript in userland code – I know of at least a dozen variations by now, all of them wrong.

The RFC resolves all of this by proposing the implementation of these escaping strategies in PHP’s core where they can be implemented just once for absolutely everybody in a consistently named fashion. No more userland functions of varying quality and efficacy. No more confusion over how to escape Javascript correctly. No more juggling iconv and mbstring to ensure escaping supports multiple character encodings. No more forgetting to set htmlspecialchars() third parameter because you bought into the Great Ascii Delusion!

Programmers would have one perfect option that clears up the confusion, ignorance and poor practices that are evident throughout PHP’s community.

You’d just have to remember to use it ;) .

Zend Framework 2.0 and Symfony 2′s Twig are already using the userland version of this RFC written in PHP. That’s great if you use those frameworks. Everyone else, including those with far less awareness of good security practices, are better off with a faster core PHP implementation which can be used by every framework, library and application with minimum effort. Let’s make escaping the right way easy.

Enhanced by Zemanta

Related posts:

  1. Automatic Output Escaping In PHP And The Real Future Of Preventing Cross-Site Scripting (XSS)
  2. A Hitchhiker’s Guide to Cross-Site Scripting (XSS) in PHP (Part 1): How Not To Use Htmlspecialchars() For Output Escaping
  3. Escaping in ADOdb; does it exist?
  4. Filtering and Escaping Cheat Sheet
  5. PHP Security: Default Vulnerabilities, Security Omissions and Framing Programmers?