Slashdot has a post about a popular PHP security expert leaving the PHP community.

I get a little peeved when I hear people quote silly reasons why PHP is insecure. For example:

When I looked at Zend’s introduction to PHP, the first sample PHP program was Hello World, and the second was a cross-site scripting vulnerability.

OK, I’ve developed web apps professionally in PHP, Python, Java and others, and I’ve used several app servers. No tool I’ve used makes it easier to remove XSS exploints than PHP. Python has no “strip tags” feature built in, neither do Perl or Java. C/C++? No way.

In addition to strip_tags, PHP has htmlspecialchars, which converts all >, < and other tricky chars into their safe equivs.

Now, what I feel is ridiculous, is why don’t tools have a built in function for removing xss exploits but leaving otherwise safe markup? At the least it should take a list of acceptable tags and for each tag a list of acceptable attributes. Then any unacceptable attributes are removed from acceptable tags and unacceptable tags are removed.

PHP doesn’t have this. Neither do Python, Ruby, Perl, Java, Rails, Zope… I don’t know if Asp.net has this feature, but it wouldn’t surprise me if it was the only one that does.