Hi. there was a bug yesterday: http://bugs.php.net/bug.php?id=54584 which made me to realize that we don't have any documentation about security issues like XSS, CSRS, and stuff (the general OWASP Top Ten). I think that we should extend the current security documentation at http://php.net/manual/en/security.php and we should link this section in the other part of the docs where it is relevant. For example the reserved variables section should link the security implications of the the user submitted data. Another thing that I would like to discuss: what should be the scope of the security docs? My personal opinion is that we should have a complete documentation about the general web related and the php specific security issues and there mitigations. So it should contain everything from best practices for filtering/stripping html from user input, properly handling uploads, throught security related configuration options, securing the web server itself(or at least linking the relevant documentation from the vendors) like how to set up a an mod_php/fastcgi/php-fpm installation from the security POV, chroot/jail, etc. I would happily contribute to such documentation, but first of all, I would like to know what do you think about it.
Personally I would love the idea to have that kind of documentation in the php manual, because it would have the greatest audience, if that isn't viable, I would like to have a section in wiki.php.net, and link that from the docs. Tyrael
