rfc:escaper
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
rfc:escaper [2013/09/27 04:15] – Merge Change Log yohgaki | rfc:escaper [2018/06/18 10:11] (current) – This RFC appears to be inactive cmb | ||
---|---|---|---|
Line 3: | Line 3: | ||
* Date: 2012-09-18 | * Date: 2012-09-18 | ||
* Author: Pádraic Brady < | * Author: Pádraic Brady < | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
Line 103: | Line 103: | ||
===== Implementation Notes ===== | ===== Implementation Notes ===== | ||
+ | |||
+ | IMPORTANT: Since proper escape requires proper character encoding handling, multibyte string feature in core is mandatory for implementation. | ||
I am strongly opposed to allowing these functions accept unpredictable character encoding directives via php.ini. That would require additional work to validate which is precisely what this RFC should seek to avoid. By validation, I mean having programmers determine how dependencies implement escaping, what encoding they enforce (usually the default), and then determining if it can be changed by the depending applications or if the library must be forked, re-edited, etc. Those who are concious of security will review dependencies for such issues rather than blindly trust dependencies. | I am strongly opposed to allowing these functions accept unpredictable character encoding directives via php.ini. That would require additional work to validate which is precisely what this RFC should seek to avoid. By validation, I mean having programmers determine how dependencies implement escaping, what encoding they enforce (usually the default), and then determining if it can be changed by the depending applications or if the library must be forked, re-edited, etc. Those who are concious of security will review dependencies for such issues rather than blindly trust dependencies. |
rfc/escaper.1380255301.txt.gz · Last modified: 2017/09/22 13:28 (external edit)