> You could have your custom C extension be called as one of the hooks. I suppose I could munge with the apache tables directly in a hook before the data is read by the standard treat_data hook, although for post data I am not sure I have any way to get in there before the ap_get_client_block() call and change what data ap_get_client_block() is going to see. I also need to make the raw data available via either a special superglobal or an access function. This doesn't seem straightforward to do through an apache_hook and it would tie something that is not inherently Apache-specific to Apache. A general-purpose user-data filter hook would work across all sapi modules.
The main goal here, in case it wasn't obvious, is to prevent cross-site-scripting problems by forcing all user-originating data to be cleaned automatically and providing a hoop to jump through in case the developer really does want the raw uncleaned data. It isn't something that belongs in PHP directly as every site that would be interested in this would likely have different security policies, but I do think a general hook is something that would be useful to all of PHP. A huge number of web apps today are extremely vulnerable to cross-site-scripting attacks. Occasionally developers remember to clean their data before displaying it, but for the most part they don't. Take half and hour and find yourself a collection of sites where you can enter data that is somehow displayed back to you. Shopping carts that ask for your name and phone number, or half of php.net's own stuff. Stick a bit of javascript in your phone number and watch. -Rasmus -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
