PHP - security etc

Dominic Mitchell dom at
Wed Mar 7 17:20:31 GMT 2007

On Wed, Mar 07, 2007 at 04:26:28PM +0000, Andy Armstrong wrote:
> On 7 Mar 2007, at 16:15, Dominic Mitchell wrote:
> >I disagree.  Not only does PHP not make it easy to be secure, it makes
> >it actively hard to be correct as far as I can see...  For example,
> >requiring you to call htmlspecialchars() on every string that ends  
> >up in
> >the page is completely inexcusable in order to avoid XSS attacks.
> I don't understand this. If the string contains HTML you don't want  
> to escape it. If it contains plain text that you want to HTML escape  
> then /of course/ you have to escape it.

You're creating a damned web page.  You need to escape pretty much
everything.  Not escaping things should be the exception, rather than
the other way around.  Otherwise it gets forgotten and guess what?  Lots
of XSS attacks.  Yay!


More information about the mailing list