Stefan Walk wrote:
Rasmus Lerdorf schrieb:
Well, I actually have years of experience taking apps and making them
run under my strict default filter. And it tends to not be very many
changes, if any at all. In the O'Reilly case it gets changed to
O'Reilly which for a pure web app is fine. If all input
consistently gets changed the same way then you can store O'Reilly
in the backend and a search will still find it since the search query
itself will be encoded the same way. If you have non web tools
working with the same backend data, then you may have a requirement to
store it raw, in which case you'd need to poke a hole in your data
firewall.
I have a hard time remembering the last at least half-serious web app
that i touched that didn't at least include email functionality ... and
even if it doesn't, storing scrambled data in the backend is not really
a good idea, for example because it makes adding functionality - like
email - that needs another encoding hard.
Like I said, I'm not advocating storing it encrypted, I was simply
saying it isn't necessarily going to break anything running an app
unchanged under a default filter. And even if it does, in an app that
does email, the breakage will be limited to some funny-looking ''s
here and there in the emails that go out, assuming of course they aren't
HTML emails, in which case it would look fine. Failing safe like that
is much better than having XSS issues everywhere.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
