News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady's Blog:
Automatic Output Escaping In PHP & The Real Future Of Preventing XSS
June 18, 2012 @ 11:58:22

Pádraic Brady has a new post to his blog about the state of output escaping in PHP and the steps that need to be taken to help prevent and protect applications from the real threat of cross-site scripting.

Automatic escaping has a certain appeal given its goal of removing the need to type escape() all over your templates. Funny thing, though, is that this is basically its one and only advantage. The second claimed goal is to remove a factor of human error (i.e. forgetting to type escape() somewhere), however, this hasn't posed an issue for me in the past where simple analysis of templates can quickly locate such omissions. And no, using automatic escaping does not remove the need to analyse templates for security issues - that's still needed regardless.

He goes on to define what "automatic escaping" is and isn't and how it relates to the context of the information (the same data may not always be filtered the same way in every place). He talks about scope-limited escaping, context-aware escaping and an idea that could help make life easier - a content security policy defining how the client should behave when interpreting HTML.

0 comments voice your opinion now!
escape automatic xss crosssitescripting security content policy


blog comments powered by Disqus

Similar Posts

Davey Shafik's Blog: Where fore art thou International PHP Magazine?

PHP.net: PHP 4 end of life announcement

Community News: Red Hat Security Package Update

DevShed: Choosing an Open-Source Content Management System

DZone.com: Hardening PHP: How to securely include remote code (part 1)


Community Events





Don't see your event here?
Let us know!


api introduction language series release community symfony install podcast opinion zendserver library tips list laravel package framework deployment interview update

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework