[OWASP-ESAPI] PHP Port

Bryan Waters bwaters at solutionsbywaters.com
Tue Mar 3 14:32:10 EST 2009


Thanks for the update Andrew.  I think all those specs seem logical to me.

As far as the mb_string issue,  The only alternative I see is to code an
optional flag for ISO-8859-1 only and use utf8_decode to squash everything
into latin-1. That function is included in the XML Parser which is compiled
in by default.
(Ducking for cover from all the non english speakers.)

Now to go slightly off topic - I'm new here so give me a warning if I step
out of line.
It may be an exercise in futility, but I'm currently trying to secure an
oscommerce store against xss. My client is on php5,  But, I'm working on
a php4 compatible fix so I can make it generally available to the app's
users.  A straight port of the full ESAPI in php4 is impossible so I'm
coding up a little function library (static class) to use for legacy apps.
I found a page on a OWASP_PHP_AntiXSS_Library_Project  which looked dead and
a little pointless for my needs since it required php5 and mb_string.  Is
there any interest in a second smaller xss library for php4?  I don't want
to distract any volunteering on php-esapi since php4 is already unsupported
and the platform really isn't going to be securable going forward.

Bryan





On Tue, Mar 3, 2009 at 7:44 AM, Andrew van der Stock <vanderaj at owasp.org>wrote:

> Hi all,
> I've just come back from OWASP AU, where I managed to find some additional
> victims to help with the effort. The port is still in the earliest days, so
> we have a lot of leeway in how the port is coded and which classes are
> first.
>
> I want to make sure we target supported PHP versions, so the minimum
> version during development will be PHP 5.2.6 - 5.2.9, with 5.3
> compatibility. Eventually, we will move to name spaces, et al, offered by
> 5.3.0, but not for a while, and probably not until PHP 6.0 eventually comes
> out.
>
> I think we will have to use mb_string to manage Unicode characters in PHP
> until PHP 6.0 comes out. However, mb_string is an optional PECL install. I
> am really in some doubt about it as not many hosters have bothered to
> re-compile PHP to include it or make PEAR / PECL work for their shared
> hosting customers. Maybe do it that way first, and then work on back compat
> later if we get stuck?
>
> PHP 4 will not be supported - it's already EOL'd, it doesn't have enough OO
> support to produce a faithful rendition of the J2EE ESAPI, and more to the
> point, is practically unsecurable. By the time we finish ESAPI for PHP, PHP
> 4 support will be a moot point.
>
> I am looking for volunteers to take on a class or two, port "their" classes
> from the J2EE reference implementation and write test cases in SimpleTest to
> prove that it does what is says it does on the label. If you're interested,
> please contact me. If you're an older volunteer (i.e. folks from MN, etc),
> please get into contact with me, and we'll get this baby rolling!
>
> thanks,
> Andrew
>
>
>
>  On 03/03/2009, at 10:28 AM, Jeff Williams wrote:
>
>   Hi!
>
> Let’s see if Andrew can give us an update on the project.
>
> --Jeff
>
>
>
>   *From:* owasp-esapi-bounces at lists.owasp.org [
> mailto:owasp-esapi-bounces at lists.owasp.org<owasp-esapi-bounces at lists.owasp.org>
> ] *On Behalf Of *Bryan Waters
> *Sent:* Monday, March 02, 2009 5:10 PM
> *To:* owasp-esapi at lists.owasp.org
> *Subject:* [OWASP-ESAPI] PHP Port
>
>  I'm looking for the maintainers and/or mailing list for the php port.
> I see a google code project with some interfaces but no mention of it on
> the OWASP Wiki.
>
> I'm trying to shore up some XSS vulnerabilities in a widely deployed php
> shopping cart and started hacking away at some custom functions based on the
> Java implementation.  I just found the Google project this morning and have
> some questions.
>
> What version of php are you trying to target?
> What type of unicode support are you targeting?
> What modules are required mb_string, etc....???
>
> Thanks to all for putting together the OWASP docs and actually writing some
> code - at the very least it keeps me from scouring the entire web looking
> for "random security tips"
>
>
> --
> Bryan Waters
> SolutionsbyWaters.com
> IT and Web Solutions to Business Problems
>
> Cell: 903-360-3858
>
>
>
> --
> Bryan Waters
> SolutionsbyWaters.com
> IT and Web Solutions to Business Problems
>
> Cell: 903-360-3858
>
>
>


-- 
Bryan Waters
SolutionsbyWaters.com
IT and Web Solutions to Business Problems

Cell: 903-360-3858
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090303/a1044a0f/attachment.html 


More information about the OWASP-ESAPI mailing list