Re: [RFC] Improve HTML escape

From:	Yasuo Ohgaki	Date:	Mon, 03 Feb 2014 22:15:31 +0000
Subject:	Re: [RFC] Improve HTML escape
References:	1 2 3 4 5 6 7	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi Padraic,

On Mon, Feb 3, 2014 at 8:06 PM, Pádraic Brady <[email protected]>wrote:

> There are three ways to present an attribute value validly in HTML5:
>
> 1. Double quoted
> 2. Single quoted
> 3. Unquoted.
>

Unquoted is really bad standard with respect to security. I don't
understand why
they allow unquoted attributes, but I think we need to address this some
how.

htmlentities/htmlspecialchars may have ENT_NO_SPACE as an option. If
there is space char, null string is returned. Standard allows space before
attributes. User may write

<tag attr =   <?php echo htmlentities($str, ENT_NO_SPACE);?> >

Use of this option is not recommended,  but there is the standard. We may
support it even if we don't recommend it.

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (37 messages)

• Yasuo OhgakiSun, 02 Feb 2014 03:09:43 +0000
  • Sara GolemonSun, 02 Feb 2014 03:15:00 +0000
    • Yasuo OhgakiSun, 02 Feb 2014 03:31:19 +0000
      • Sara GolemonSun, 02 Feb 2014 03:35:46 +0000
      • Pavel KouřilSun, 02 Feb 2014 09:38:22 +0000
        • Yasuo OhgakiSun, 02 Feb 2014 09:54:38 +0000
      • Stas MalyshevSun, 02 Feb 2014 10:19:03 +0000
  • Andrea FauldsSun, 02 Feb 2014 03:27:44 +0000
    • Yasuo OhgakiSun, 02 Feb 2014 03:33:37 +0000
      • Stas MalyshevSun, 02 Feb 2014 10:21:31 +0000
        • Rouven WeßlingSun, 02 Feb 2014 11:08:22 +0000
          • Pádraic BradySun, 02 Feb 2014 13:55:32 +0000
            • Rouven WeßlingSun, 02 Feb 2014 22:55:21 +0000
        • Yasuo OhgakiMon, 03 Feb 2014 01:43:48 +0000
          • Yasuo OhgakiMon, 03 Feb 2014 05:33:55 +0000
          • Stas MalyshevMon, 03 Feb 2014 08:17:58 +0000
            • Pádraic BradyMon, 03 Feb 2014 11:06:22 +0000
              • Yasuo OhgakiMon, 03 Feb 2014 22:15:31 +0000
                • Stas MalyshevMon, 03 Feb 2014 22:21:08 +0000
                  • Yasuo OhgakiMon, 03 Feb 2014 22:26:47 +0000
                    • Rowan CollinsTue, 04 Feb 2014 14:53:28 +0000
                      • Pádraic BradyTue, 04 Feb 2014 15:15:45 +0000
            • Yasuo OhgakiMon, 03 Feb 2014 22:04:07 +0000
              • Stas MalyshevMon, 03 Feb 2014 22:14:27 +0000
                • Yasuo OhgakiMon, 03 Feb 2014 22:21:45 +0000
                  • Stas MalyshevMon, 03 Feb 2014 22:24:22 +0000
                    • Yasuo OhgakiMon, 03 Feb 2014 22:31:16 +0000
                      • Lester CaineMon, 03 Feb 2014 23:22:01 +0000
                        • Pádraic BradyTue, 04 Feb 2014 00:20:19 +0000
                        • Yasuo OhgakiTue, 04 Feb 2014 05:46:35 +0000
                • Pádraic BradyMon, 03 Feb 2014 22:31:14 +0000
                  • Yasuo OhgakiMon, 03 Feb 2014 22:37:49 +0000
                    • Yasuo OhgakiMon, 03 Feb 2014 22:44:05 +0000
  • Andrea FauldsTue, 04 Feb 2014 15:57:29 +0000
    • Pádraic BradyTue, 04 Feb 2014 21:22:26 +0000
      • Yasuo OhgakiWed, 05 Feb 2014 02:10:39 +0000
        • Pádraic BradyWed, 05 Feb 2014 10:54:07 +0000