Re: [RFC] Improve HTML escape

From:	Yasuo Ohgaki	Date:	Mon, 03 Feb 2014 01:43:48 +0000
Subject:	Re: [RFC] Improve HTML escape
References:	1 2 3 4	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi Stas,

On Sun, Feb 2, 2014 at 7:21 PM, Stas Malyshev <[email protected]>wrote:

> > Making ENT_QUOTES as a default is good idea also.
> > I should have add this to the RFC.
>
> Why is it a good idea? Could you explain what it adds to the security of
> this function?


Users can do

<tag attr='<?php echo htmlentities($str)?>' >

and this is valid. I think there is no reason not to escape ' by default.

I agree that user should not use unquoted attributes in general.

'/' escape  could be still useful. For example, user may have validation
code that allows printable ASCII chars w/o spaces. '/' escape may protect
apps from generating invalid tag in this case.

We could say "your application is broken in first place".
However, both "'" and '/" escapes do not break apps at all, yet it
covers some issues.

There is no reason not to escape these chars by default. IMHO.

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (37 messages)

• Yasuo OhgakiSun, 02 Feb 2014 03:09:43 +0000
  • Sara GolemonSun, 02 Feb 2014 03:15:00 +0000
    • Yasuo OhgakiSun, 02 Feb 2014 03:31:19 +0000
      • Sara GolemonSun, 02 Feb 2014 03:35:46 +0000
      • Pavel KouřilSun, 02 Feb 2014 09:38:22 +0000
        • Yasuo OhgakiSun, 02 Feb 2014 09:54:38 +0000
      • Stas MalyshevSun, 02 Feb 2014 10:19:03 +0000
  • Andrea FauldsSun, 02 Feb 2014 03:27:44 +0000
    • Yasuo OhgakiSun, 02 Feb 2014 03:33:37 +0000
      • Stas MalyshevSun, 02 Feb 2014 10:21:31 +0000
        • Rouven WeßlingSun, 02 Feb 2014 11:08:22 +0000
          • Pádraic BradySun, 02 Feb 2014 13:55:32 +0000
            • Rouven WeßlingSun, 02 Feb 2014 22:55:21 +0000
        • Yasuo OhgakiMon, 03 Feb 2014 01:43:48 +0000
          • Yasuo OhgakiMon, 03 Feb 2014 05:33:55 +0000
          • Stas MalyshevMon, 03 Feb 2014 08:17:58 +0000
            • Pádraic BradyMon, 03 Feb 2014 11:06:22 +0000
              • Yasuo OhgakiMon, 03 Feb 2014 22:15:31 +0000
                • Stas MalyshevMon, 03 Feb 2014 22:21:08 +0000
                  • Yasuo OhgakiMon, 03 Feb 2014 22:26:47 +0000
                    • Rowan CollinsTue, 04 Feb 2014 14:53:28 +0000
                      • Pádraic BradyTue, 04 Feb 2014 15:15:45 +0000
            • Yasuo OhgakiMon, 03 Feb 2014 22:04:07 +0000
              • Stas MalyshevMon, 03 Feb 2014 22:14:27 +0000
                • Yasuo OhgakiMon, 03 Feb 2014 22:21:45 +0000
                  • Stas MalyshevMon, 03 Feb 2014 22:24:22 +0000
                    • Yasuo OhgakiMon, 03 Feb 2014 22:31:16 +0000
                      • Lester CaineMon, 03 Feb 2014 23:22:01 +0000
                        • Pádraic BradyTue, 04 Feb 2014 00:20:19 +0000
                        • Yasuo OhgakiTue, 04 Feb 2014 05:46:35 +0000
                • Pádraic BradyMon, 03 Feb 2014 22:31:14 +0000
                  • Yasuo OhgakiMon, 03 Feb 2014 22:37:49 +0000
                    • Yasuo OhgakiMon, 03 Feb 2014 22:44:05 +0000
  • Andrea FauldsTue, 04 Feb 2014 15:57:29 +0000
    • Pádraic BradyTue, 04 Feb 2014 21:22:26 +0000
      • Yasuo OhgakiWed, 05 Feb 2014 02:10:39 +0000
        • Pádraic BradyWed, 05 Feb 2014 10:54:07 +0000