[OWASP-ESAPI] PHP Port

Andrew van der Stock vanderaj at owasp.org
Wed Mar 4 00:04:05 EST 2009


There could well be a need for a lightweight version of that AntiXSS  
port.

Ben wrote most of the AntiXSS library for PHP, and I've CC'd him -  
maybe you two can talk and make it happen? If you do finish it, feel  
free to stick a newer version on the OWASP website.

thanks,
Andrew

On 04/03/2009, at 6:32 AM, Bryan Waters wrote:

> Thanks for the update Andrew.  I think all those specs seem logical  
> to me.
>
> As far as the mb_string issue,  The only alternative I see is to  
> code an optional flag for ISO-8859-1 only and use utf8_decode to  
> squash everything into latin-1. That function is included in the XML  
> Parser which is compiled in by default.
> (Ducking for cover from all the non english speakers.)
>
> Now to go slightly off topic - I'm new here so give me a warning if  
> I step out of line.
> It may be an exercise in futility, but I'm currently trying to  
> secure an oscommerce store against xss. My client is on php5,  But,  
> I'm working on a php4 compatible fix so I can make it generally  
> available to the app's users.  A straight port of the full ESAPI in  
> php4 is impossible so I'm coding up a little function library  
> (static class) to use for legacy apps.  I found a page on a  
> OWASP_PHP_AntiXSS_Library_Project  which looked dead and a little  
> pointless for my needs since it required php5 and mb_string.  Is  
> there any interest in a second smaller xss library for php4?  I  
> don't want to distract any volunteering on php-esapi since php4 is  
> already unsupported and the platform really isn't going to be  
> securable going forward.
>
> Bryan
>
>
>
>
>
> On Tue, Mar 3, 2009 at 7:44 AM, Andrew van der Stock <vanderaj at owasp.org 
> > wrote:
> Hi all,
>
> I've just come back from OWASP AU, where I managed to find some  
> additional victims to help with the effort. The port is still in the  
> earliest days, so we have a lot of leeway in how the port is coded  
> and which classes are first.
>
> I want to make sure we target supported PHP versions, so the minimum  
> version during development will be PHP 5.2.6 - 5.2.9, with 5.3  
> compatibility. Eventually, we will move to name spaces, et al,  
> offered by 5.3.0, but not for a while, and probably not until PHP  
> 6.0 eventually comes out.
>
> I think we will have to use mb_string to manage Unicode characters  
> in PHP until PHP 6.0 comes out. However, mb_string is an optional  
> PECL install. I am really in some doubt about it as not many hosters  
> have bothered to re-compile PHP to include it or make PEAR / PECL  
> work for their shared hosting customers. Maybe do it that way first,  
> and then work on back compat later if we get stuck?
>
> PHP 4 will not be supported - it's already EOL'd, it doesn't have  
> enough OO support to produce a faithful rendition of the J2EE ESAPI,  
> and more to the point, is practically unsecurable. By the time we  
> finish ESAPI for PHP, PHP 4 support will be a moot point.
>
> I am looking for volunteers to take on a class or two, port "their"  
> classes from the J2EE reference implementation and write test cases  
> in SimpleTest to prove that it does what is says it does on the  
> label. If you're interested, please contact me. If you're an older  
> volunteer (i.e. folks from MN, etc), please get into contact with  
> me, and we'll get this baby rolling!
>
> thanks,
> Andrew
>
>
>
> On 03/03/2009, at 10:28 AM, Jeff Williams wrote:
>
>> Hi!
>>
>> Let’s see if Andrew can give us an update on the project.
>>
>> --Jeff
>>
>>
>>
>> From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-bounces at lists.owasp.org 
>> ] On Behalf Of Bryan Waters
>> Sent: Monday, March 02, 2009 5:10 PM
>> To: owasp-esapi at lists.owasp.org
>> Subject: [OWASP-ESAPI] PHP Port
>>
>> I'm looking for the maintainers and/or mailing list for the php port.
>> I see a google code project with some interfaces but no mention of  
>> it on the OWASP Wiki.
>>
>> I'm trying to shore up some XSS vulnerabilities in a widely  
>> deployed php shopping cart and started hacking away at some custom  
>> functions based on the Java implementation.  I just found the  
>> Google project this morning and have some questions.
>>
>> What version of php are you trying to target?
>> What type of unicode support are you targeting?
>> What modules are required mb_string, etc....???
>>
>> Thanks to all for putting together the OWASP docs and actually  
>> writing some code - at the very least it keeps me from scouring the  
>> entire web looking for "random security tips"
>>
>>
>> -- 
>> Bryan Waters
>> SolutionsbyWaters.com
>> IT and Web Solutions to Business Problems
>>
>> Cell: 903-360-3858
>>
>>
>>
>> -- 
>> Bryan Waters
>> SolutionsbyWaters.com
>> IT and Web Solutions to Business Problems
>>
>> Cell: 903-360-3858
>
>
>
>
> -- 
> Bryan Waters
> SolutionsbyWaters.com
> IT and Web Solutions to Business Problems
>
> Cell: 903-360-3858

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090304/f8f062d1/attachment-0001.html 


More information about the OWASP-ESAPI mailing list