I had a look at XSS Auditor for a bit of fun because Mario said it's getting harder to bypass. Hmmm I don't agree. I seem to remember the same flaws are present from the last time I checked it with a little variation. It is also a very limited XSS filter not supporting detection of script based attacks (very common).

He includes three of his own bypasses - using a "formaction" on the submit input in a form, using "target" to override the iframe external resource restriction and the injection of a specially placed anchor tag. Each of these comes with a proof-of-concept example and another is also included courtesy of Mario Heiderich.

Much talking is going on about Unit testing, Mocks and TDD in the PHP world. For the most this discussions surround object-oriented PHP code, frameworks and applications. Yet I would assert that the reality for PHP developers (me included) is dealing with PHP 4, PHP 5 migrated, or non-object oriented legacy applications which are near to impossible to bring under test.

He includes a "proof of concept" for a replacement mysql_query function (as created inside of Runkit) that sets up a "mocker" object that returns a "hello world" message when the mysql_query function is called.