News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady's Blog:
Automatic Output Escaping In PHP & The Real Future Of Preventing XSS
June 18, 2012 @ 11:58:22

Pádraic Brady has a new post to his blog about the state of output escaping in PHP and the steps that need to be taken to help prevent and protect applications from the real threat of cross-site scripting.

Automatic escaping has a certain appeal given its goal of removing the need to type escape() all over your templates. Funny thing, though, is that this is basically its one and only advantage. The second claimed goal is to remove a factor of human error (i.e. forgetting to type escape() somewhere), however, this hasn't posed an issue for me in the past where simple analysis of templates can quickly locate such omissions. And no, using automatic escaping does not remove the need to analyse templates for security issues - that's still needed regardless.

He goes on to define what "automatic escaping" is and isn't and how it relates to the context of the information (the same data may not always be filtered the same way in every place). He talks about scope-limited escaping, context-aware escaping and an idea that could help make life easier - a content security policy defining how the client should behave when interpreting HTML.

0 comments voice your opinion now!
escape automatic xss crosssitescripting security content policy


blog comments powered by Disqus

Similar Posts

Zend Developer Zone: Avoiding XSS security attacks to sites that use HTML editors

Zend: Webinar Wednesday - PHP Security

Community News: WordPress Security Update Released

Paragon Initiative: Everything [About] Preventing Cross-Site Scripting Vulnerabilities in PHP

PHPClasses.org: PHP security exploit with GIF images


Community Events

Don't see your event here?
Let us know!


yii2 configure api php7 example laravel language introduction project list community opinion framework podcast interview part2 composer application symfony series

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework