Well, I didn't got the idea about usage for developers, I thought it
more for some Website owner who want to protect their website against
some threads. It would lead maybe even into the wrong lane as they
would maybe stop trying to write secure code as the application would
do it for them...
Currently I would say that we have some general settings, which are
applied everywhere. And then you're able to set some special behaves
upon different areas of your website/given Parameters. Let's say that
you maybe don't want to allow a User to post some arbitrary code(only
safe one) you could add that to your "filterrules" a rule that
HTMLPurifier is used upon the given Parameter...
In general the Plan is to increase your security, by allowing only
secure alphanumeric text to enter your PHP stage. But then you should
be able to modify this behave to your needs that given Parameters are
allowed to hold other values as well(HTML code), or some given areas
aren'T checked at all and such things. So let's take an example, if
you run a Blog, it would only let in anything which is a alphanum text
only. But that wouldn't be usable at all, so we would disable the
checking in the backend and allow for comments-parameter some given
HTML tags. So we could add many security to it, as everything higher
than allowed would be dropped.
And it shall offer some Tracking of Intrusion(-tries), so if you don't
like the features above at all, let your blog only be watched and get
informed if anything strange was done, maybe even some given part is
shot down, to prevent your users from harm...So if some XSS was
detected the search Function request could be blocked as long as you
checked the problem.
That's really vague, as my starting thought was only about offering a
global PHP port for PHPIDS, which would already track most of the
intrusion tries and upon these results we can do already many things.