For a while now, I’ve been keen to build a HTML Sanitisation solution for PHP. Where else would I end up putting it other than in Zend Framework? As I’ve explored in past articles [
1] [
2], HTML Sanitisation in PHP is a very inconsistent practice. Sanitisers like HTMLPurifier are very secure out of the box but undeniably slow and resource intensive while others based on regular expression powered HTML parsing are much faster but tend to lose out a lot in the security stakes. Isn’t it possible to create a sanitiser that is both secure by default and performs well?
This was the core of the idea that became Wibble, my prototype for Zend\Html\Filter. Wibble borrowed sanitisation routines from a few programming languages to ensure secure operation, but relied entirely on PHP DOM and HTML Tidy for speed and HTML parsing. The resulting prototype was benchmarked [1] which proved that while Wibble could be faster than even regular expression based sanitisers (in scenarios where HTML was being manipulated) it most definitely would be faster than HTMLPurifier – without sacrificing security. Thus Wibble is capable of the best of both worlds – security and performance. The existing tradeoff in current solutions no longer applies.
You may read and comment on the proposal here: http://framework.zend.com/wiki/pages/viewpage.action?pageId=25002168. The proposal is up for review for Zend Framework 2.0.
Author: Pádraic Brady
Padraic Brady wrote excellent post about his security review of Zend Framework and as a result, security releases of Zend Framework 1.9.7, 1.8.5 and 1.7.9.
As the announcement also indicates, following December’s excitement I spent much of the Christmas and New Year period conducting a security review of the framework. While an ongoing process, the initial review focused on specific areas most likely to deal directly or indirectly with user input and the output of user sourced data. The results of that initial review were reported over the holidays to the Zend team, who patiently put up with my long winded emails and managed not to strangle me…so far. I’m keeping myself holed up in the mountains for now.
He shares his security review experience to tell us about most common types of issues, afected components and new official Security Policy of Zend Framework.
Extend support to the whole of the Atom 1.0 specificationMoving towards Zend Framework 1.10 release more and more new features and components shape up and are being presented by developers and bloggers. Padraic Brady wrote recently about his contribution to Zend_Feed component.
The new kid on the block, to be added in Zend Framework 1.10, is Zend_Feed_Writer. A bit like the older Zend_Feed_Builder classes, its purpose is to generate Atom 1.0 and RSS 2.0 feeds. The difference is that, like its sibling Zend_Feed_Reader, it is standards aware and operates entirely using PHP’s DOM.
Besides developing Zend_Feed_Writer Padraic contributed several interesting enhancements to Zend_Feed_Reader:
- support to the whole of the Atom 1.0 specification
- greater API coverage overall
- Array style access
- Standardise API return types using ArrayObjects
November’s Bug Hunt Days are over. More than 100 bugs were fixed. Fixing that many bugs wouldn’t be fixed without excellent guide about participating in Bug Hunt Days written by Padraic Brady.
Many Zend Framework users fail to realise that the Zend team is comprised of about three individuals. Three people cannot address 1600 issues this side of the 22nd Century and it’s totally unfair to complain about the issue count in this light. They need assistance. They need people to fill in for former component lead developers, inactive developers, and developers who are mysteriously missing in action. But mainly they need more eyes and keyboards to clear issues.
Bug Hunt Day’s goal is to help Zend Framework’s team in fixing as many issues as possible during the event. It is great opportunity for those who want to help developing the framework but can not do it on regular basis. Because such people usually don’t know where to start, whom to ask, how to use provided tools or simply commit the code, Padraic’s guide should be first thing to read before participating in Bug Hunt. Check it out and see that participating in Bug Hunt Days is not that hard.
Pádraic Brady announced on Developer Tutorials site completing Zend_Oauth’s Consumer implementation for the OAuth Core 1.0 Revision A specification. He also present example implementation of Tweeter client using new component.
The OAuth protocol enables websites or applications (Consumers) to access Protected Resources from a web service (Service Provider) via an API, without requiring Users to disclose their Service Provider credentials to the Consumers. More generally, OAuth creates a freely-implementable and generic methodology for API authentication.
Zend_Oauth might be released in Zend Framework 1.10 (due December?) and is already in incubator. See how it works before the official release.
