Re: [RFC] Improve HTML escape

From:	Yasuo Ohgaki	Date:	Mon, 03 Feb 2014 05:33:55 +0000
Subject:	Re: [RFC] Improve HTML escape
References:	1 2 3 4 5	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi all,

On Mon, Feb 3, 2014 at 10:43 AM, Yasuo Ohgaki <[email protected]> wrote:

> On Sun, Feb 2, 2014 at 7:21 PM, Stas Malyshev <[email protected]>wrote:
>
>> > Making ENT_QUOTES as a default is good idea also.
>> > I should have add this to the RFC.
>>
>> Why is it a good idea? Could you explain what it adds to the security of
>> this function?
>
>
> Users can do
>
> <tag attr='<?php echo htmlentities($str)?>' >
>
>  and this is valid. I think there is no reason not to escape ' by default.
>
> I agree that user should not use unquoted attributes in general.
>
> '/' escape  could be still useful. For example, user may have validation
> code that allows printable ASCII chars w/o spaces. '/' escape may protect
> apps from generating invalid tag in this case.
>
> We could say "your application is broken in first place".
> However, both "'" and '/" escapes do not break apps at all, yet it
> covers some issues.
>
> There is no reason not to escape these chars by default. IMHO.
>

Even we may deprecate ENT_COMPAT and ENT_QUOTES. We may ignore
them and escape all chars recommended by OWASP always. (Except ENT_NOQUOTES)

I think ENT_COMPAT/ENT_QUOTES does bad things rather than good.

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (37 messages)

• Yasuo OhgakiSun, 02 Feb 2014 03:09:43 +0000
  • Sara GolemonSun, 02 Feb 2014 03:15:00 +0000
    • Yasuo OhgakiSun, 02 Feb 2014 03:31:19 +0000
      • Sara GolemonSun, 02 Feb 2014 03:35:46 +0000
      • Pavel KouřilSun, 02 Feb 2014 09:38:22 +0000
        • Yasuo OhgakiSun, 02 Feb 2014 09:54:38 +0000
      • Stas MalyshevSun, 02 Feb 2014 10:19:03 +0000
  • Andrea FauldsSun, 02 Feb 2014 03:27:44 +0000
    • Yasuo OhgakiSun, 02 Feb 2014 03:33:37 +0000
      • Stas MalyshevSun, 02 Feb 2014 10:21:31 +0000
        • Rouven WeßlingSun, 02 Feb 2014 11:08:22 +0000
          • Pádraic BradySun, 02 Feb 2014 13:55:32 +0000
            • Rouven WeßlingSun, 02 Feb 2014 22:55:21 +0000
        • Yasuo OhgakiMon, 03 Feb 2014 01:43:48 +0000
          • Yasuo OhgakiMon, 03 Feb 2014 05:33:55 +0000
          • Stas MalyshevMon, 03 Feb 2014 08:17:58 +0000
            • Pádraic BradyMon, 03 Feb 2014 11:06:22 +0000
              • Yasuo OhgakiMon, 03 Feb 2014 22:15:31 +0000
                • Stas MalyshevMon, 03 Feb 2014 22:21:08 +0000
                  • Yasuo OhgakiMon, 03 Feb 2014 22:26:47 +0000
                    • Rowan CollinsTue, 04 Feb 2014 14:53:28 +0000
                      • Pádraic BradyTue, 04 Feb 2014 15:15:45 +0000
            • Yasuo OhgakiMon, 03 Feb 2014 22:04:07 +0000
              • Stas MalyshevMon, 03 Feb 2014 22:14:27 +0000
                • Yasuo OhgakiMon, 03 Feb 2014 22:21:45 +0000
                  • Stas MalyshevMon, 03 Feb 2014 22:24:22 +0000
                    • Yasuo OhgakiMon, 03 Feb 2014 22:31:16 +0000
                      • Lester CaineMon, 03 Feb 2014 23:22:01 +0000
                        • Pádraic BradyTue, 04 Feb 2014 00:20:19 +0000
                        • Yasuo OhgakiTue, 04 Feb 2014 05:46:35 +0000
                • Pádraic BradyMon, 03 Feb 2014 22:31:14 +0000
                  • Yasuo OhgakiMon, 03 Feb 2014 22:37:49 +0000
                    • Yasuo OhgakiMon, 03 Feb 2014 22:44:05 +0000
  • Andrea FauldsTue, 04 Feb 2014 15:57:29 +0000
    • Pádraic BradyTue, 04 Feb 2014 21:22:26 +0000
      • Yasuo OhgakiWed, 05 Feb 2014 02:10:39 +0000
        • Pádraic BradyWed, 05 Feb 2014 10:54:07 +0000