Re: [RFC] Improve HTML escape

From: Date: Mon, 03 Feb 2014 22:15:31 +0000
Subject: Re: [RFC] Improve HTML escape
References: 1 2 3 4 5 6 7  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
Hi Padraic,

On Mon, Feb 3, 2014 at 8:06 PM, Pádraic Brady <[email protected]>wrote:

> There are three ways to present an attribute value validly in HTML5:
>
> 1. Double quoted
> 2. Single quoted
> 3. Unquoted.
>

Unquoted is really bad standard with respect to security. I don't
understand why
they allow unquoted attributes, but I think we need to address this some
how.

htmlentities/htmlspecialchars may have ENT_NO_SPACE as an option. If
there is space char, null string is returned. Standard allows space before
attributes. User may write

<tag attr =   <?php echo htmlentities($str, ENT_NO_SPACE);?> >

Use of this option is not recommended,  but there is the standard. We may
support it even if we don't recommend it.

Regards,

--
Yasuo Ohgaki
[email protected]


Thread (37 messages)

« previous php.internals (#72143) next »