Hi
Within your view, you, the developer, know your context, so it's up to
you to define the escaping mechanism. We're just going to provide a sane
default for the 80/20 use case.
Just for inspiration:
http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html
On 15 Jul 2009, at 03:30, Matthew Weier O'Phinney wrote:
80/20 is a nice rule but not for security. I went through this way
few
years ago and as you mention it was so convenient to don't care in
80%
of cases but the rest was pain in the ass. The setEscape() method
doesn't help too much
Hi
On Wed, Jul 15, 2009 at 5:12 PM, Carlton
Just an idea/suggestion here, could we have an optional second param to
escape() which if provided would override the default (just for that usage)?
You need at least two parameters additional for escaping because you
have to sometimes specify
Hi,
On 15 Jul 2009, at 13:21, Ondrej Ivanič wrote:
On Wed, Jul 15, 2009 at 5:12 PM, Carlton
Just an idea/suggestion here, could we have an optional second
param to
escape() which if provided would override the default (just for
that usage)?
You need at least two parameters additional for
Hi
Why are you mixing them into a single file? Why not have separate files
for separate types of code? This simplifies the story for escaping,
Sametimes you have to mix everything together because you need
dynamically generate values of certain attributes like onXXX, style,
...
We can
Hi
Why are you mixing them into a single file? Why not have separate files
for separate types of code? This simplifies the story for escaping,
Sametimes you have to mix everything together because you need
dynamically generate values of certain attributes like onXXX, style,
...
We can
Hi
2009/7/15 Carlton Gibson carlton.gib...@noumenal.co.uk:
Perhaps I'm not fully on board with what you're after but, I imagined all of
that to be taken care of by the callback (closure?) passed in as the second
parameter.
Then, say it's html by default, normally I just do this:
Yes, then
Ondrej Ivanič-3 wrote:
Thats sounds like a ZF version of magic_quotes... How do you want to
deal with different escaping in javascript, css, html, xml? View
script could be mix of anything i.e:
I think it won't be something like magic_quotes because it is at no point
secure, in my humble
-general@lists.zend.com
Sent: Tuesday, July 14, 2009 6:47:19 AM
Subject: Re: [fw-general] XSS Prevention with Zend Framework
Hi
fixing that...), but I will note: Starting with 2.0, escaping will be
the default when retrieving variables from the view object, and you will
need to request the raw value
://www.survivethedeepend.com
OpenID Europe Foundation Irish Representative
From: Ondrej Ivanič ondrej.iva...@gmail.com
To: fw-general@lists.zend.com
Sent: Tuesday, July 14, 2009 6:47:19 AM
Subject: Re: [fw-general] XSS Prevention with Zend Framework
Hi
fixing that...), but I
-- Ondrej Ivanič ondrej.iva...@gmail.com wrote
(on Tuesday, 14 July 2009, 03:47 PM +1000):
fixing that...), but I will note: Starting with 2.0, escaping will be
the default when retrieving variables from the view object, and you will
need to request the raw value explicitly if you need it.
Hi
On Wed, Jul 15, 2009 at 2:39 AM, Matthew Weier
O'Phinneymatt...@zend.com wrote:
Within your view, you, the developer, know your context, so it's up to
you to define the escaping mechanism. We're just going to provide a sane
default for the 80/20 use case.
80/20 is a nice rule but not for
://blog.astrumfutura.com
http://www.survivethedeepend.com
OpenID Europe Foundation Irish Representative
From: Ondrej Ivanič ondrej.iva...@gmail.com
To: fw-general@lists.zend.com
Sent: Wednesday, July 15, 2009 1:09:53 AM
Subject: Re: [fw-general] XSS Prevention with Zend Framework
-- Ondrej Ivanič ondrej.iva...@gmail.com wrote
(on Wednesday, 15 July 2009, 10:09 AM +1000):
On Wed, Jul 15, 2009 at 2:39 AM, Matthew Weier
O'Phinneymatt...@zend.com wrote:
Within your view, you, the developer, know your context, so it's up to
you to define the escaping mechanism. We're
-- howard chen howac...@gmail.com wrote
(on Monday, 13 July 2009, 09:32 PM +0800):
Back to the Mar 2008, some guy posted :
http://framework.zend.com/wiki/display/ZFDEV/Cross+Site+Scripting+Prevention+for+PHP
Any update on it?
Is it possible to do XSS filtering with Zend Framework now?
From: howard chen howac...@gmail.com
To: Zend Framework General fw-general@lists.zend.com
Sent: Monday, July 13, 2009 2:32:38 PM
Subject: [fw-general] XSS Prevention with Zend Framework
Back to the Mar 2008, some guy posted :
http://framework.zend.com/wiki/display/ZFDEV
Hi
fixing that...), but I will note: Starting with 2.0, escaping will be
the default when retrieving variables from the view object, and you will
need to request the raw value explicitly if you need it. This is a
Thats sounds like a ZF version of magic_quotes... How do you want to
deal with
17 matches
Mail list logo
