On Sep 25, 2023, at 01:49, Derick Rethans <der...@php.net> wrote: > The Foundation is organising an external audit/security check of the PHP > source code. As part of that, we would like to identify the places in > the PHP source code where checking this will have the most impact.
String parsing functions. Not just for outright vulnerabilities, but also for logical errors which can make them behave differently from other implementations, or make them behave in unexpected ways when presented with unusual inputs. A couple of important examples that come to mind are: * the HTTP stream wrapper * json_encode/decode/etc * parse_url - particularly as compared to the HTML5 URL parser spec * strip_tags - similarly, compare to HTML5 tag parsing * htmlentity_decode, htmlspecialchars_decode -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
