Edit report at https://bugs.php.net/bug.php?id=62745&edit=1
ID: 62745
Comment by: keithm at aoeex dot com
Reported by: kjelkenes at gmail dot com
Summary: Extend echo and print possiblity
Status: Open
Type: Feature/Change Request
Package: Unknown/Other Function
Operating System: *
PHP Version: 5.4.5
Block user comment: N
Private report: N
New Comment:
You can already accomplish this using output buffering if so desired. I don't
see a need to add anything else into the mix. For example:
------------------------------------------
<?php
$outputHandler = function($data){
return htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
};
ob_start($outputHandler);
echo '<script>alert(\'This will never be executed.\')</script>';
------------------------------------------
outputs:
<script>alert('This will never be executed.')</script>
Previous Comments:
------------------------------------------------------------------------
[2012-08-04 14:13:55] kjelkenes at gmail dot com
Description:
------------
This is a feature request regarding the "echo" and "print" functions used in
PHP. The echo/print statement is used for output. As of today there are no way
of extending these statements, leading to potential security risks.
If we could extend the echo function at a given time with a handler/closure
this could really improve the security of PHP.
Say we have the following security risk (XSS injection):
$data = "<h1><script>alert('hi');</script></h1>"; // From db.
echo $data;
Today we need custom functions to escape this such as:
function escape($data){
return htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
}
echo escape($data);
What if we could implement a handler for the echo/print statements such as this:
// Define a handler:
$outputHandler = function escape($data){
return htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
};
/**
* Sets a output handler for php, it's used in echo and print statements.
* @param string $name The identity of this handler ( Unique )
* @param mixed $outputHandler function name or callback closure to use.
* @param mixed $flags What type of satements to use this function.
*/
add_output_handler('xss_filter',$outputHandler, OutputHandler::F_ECHO |
OutputHandler::F_PRINT);
/**
* Removes a given output handler by it's name.
*/
remove_output_handler('xss_filter');
Then we could use normal statements:
echo '<script>alert('This will never be exected.')</script>';
And when we don't need it anymore:
remove_output_handler('xss_filter');
This way, one can be sure that the output of ANY kind is actually stripped,
without implementing a whole new templating system for PHP.
Also this does not break any kind of PHP applications running, it just adds new
functionality that is (let's face it) really needed for PHP.
This is also great for MVC frameworks, just apply it before executing a view
file and remove it after!
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=62745&edit=1
