Rob Allen

Pragmatism in the real world

Padraic Brady: Automatic Output Escaping In PHP And The Real Future Of Preventing Cross-Site Scripting (XSS)

Pádraic Brady has posted Automatic Output Escaping In PHP And The Real Future Of Preventing Cross-Site Scripting (XSS)

In the game of mitigating against the risks of XSS, how you escape is not as important as knowing why you are escaping. That second point, understanding why you escape data on output, is unfortunately commonly misunderstood. Yet, without that basic understanding – your choice of how to escape is quite possibly incorrect and, worse, it allows insecure escaping practices to thrive as that misunderstanding becomes embedded in what we pass on to other PHP programmers. We’re self-perpetuating our own ignorance

In this new post Pádraic looks at what automatic escaping is and then continues with an exploration of the complexities. Well worth a read!

This article was posted on in Around the web

Search

I'm Rob Allen, a software consultant and engineering leader, concentrating on HTTP APIs. A proponent of Open Source, I maintain rst2pdf and Slim Framework, and contribute to Apache OpenWhisk amongst other OSS projects.

I live in the UK, run 19FT and publish Daily Jotter for Mac. I am a public speaker and wrote Zend Framework in Action.

Follow

Nineteen Feet Limited logo

Books I've written

Zend Framework in Action book cover
C++Builder 5 Developer's Guide book cover