Talk:Active Projects

Security Vulnerability Assessment and Fixing

Point #5 is flawed. Add slashes doesn't always escape a JavaScript literal correctly, escaping Javascript nest in HTML/XML from within PHP is relatively difficult, and there isn't just one function that can do it. addslashes() is definitely better than nothing, but we'll have to update this convention later. (Point #4 is also flawed, but more subtly.) --Boyd Stephen Smith Jr. 17:23, 14 August 2011 (UTC)

Do you have suggestions for #4 and #5? Or are you looking for suggestions? --Tony - www.mi-squared.com 18:56, 14 August 2011 (UTC)

More of a "looking for". #4 is right most of the time, and I think the places where it is wrong are sufficiently rare that they can be handled ad-hoc, and that explaining them will generally cause more confusion than gets removed. We probably should write a function for #5 and suggest it instead of add_slashes. IIRC, add_slashes is not very true to it's name when magic_quotes_sybase is set. It is also fairly rare that it would be completely incorrect. In XML/XHTML, script sections are CDATA, they are PCDATA, so they need to be passed through htmlspecialchars after having JS escaping done. In HTML 4 and one of the dialects of HTML 5, script sections are CDATA, so escaping is not recognized and using htmlspecialchars would be incorrect. To get consistent behavior, the whole script needs to be surrounded in a CDATA section, and you must take advantage of script language features (e.g. string concatenation) to avoid having the script contain "]]>" or "</". Like I said, it's not exactly an easy problem, but add_slashes is better than nothing for now. --Boyd Stephen Smith Jr. 00:49, 15 August 2011 (UTC)