Stas,
On 3 February 2014 22:14, Stas Malyshev <[email protected]> wrote:
> Hi!
>
>> Some users has to confirm standard like PCI DSS.
>> PCI DSS requires to follow security standards and guidelines from OWASP,
>> SANS, etc.
>>
>> Why not make PHP standard compliant?
>> It does not hart existing applications at all and this is simple enough
>> change.
>
> I'm sorry, could you please quote me a standard that requires PHP to
> escape / in function called htmlentites? If there's no such standard,
> the argument of "but the standard requires it" is void. No standard can
> require you to use htmlentites where it should not be used. Putting
> stuff into language just because somebody in the internet mentioned in
> different context that it might be a good idea - is not. We should
> understand _why_ it is done and _why_ it is a good idea, especially when
> we're talking about security. In this case, the proposed use case should
> _never_ be used with htmlentities, due to obvious gaping security hole.
> Adding code to enable such scenario is just not right. Instead, we
> should tell people "Never ever do it. Ever.".
There is far too much going on here...
1. Bear in mind that htmlentities() and htmlspecialchars() are
equivalent for HTML special characters.
2. PCI DSS is a real standard that real people apply in real
applications. You can google it if you don't believe me. It's at
version 3.0.
3. PCI DSS specifically notes OWASP guides as a source of best
practice as part of Requirement 6 (which covers XSS among other
things).
4. The OWASP guide for XSS mentions escaping the forward slash.
5. We do not currently escape the forward slash.
While I'm dubious about forward slash escaping myself and think it
might have been OWASP veering into overkill, it doesn't change the
fact that Yasuo's argument is perfectly sound. Nor does it change the
state of single quote escaping which is very obvious out of sync with
best practice.
Ignoring all this is tantamount to telling people not to use
htmlspecialchars() or htmlentities() at all. As in, never! Which,
coincidentally, is almost the current best practice in PHP where we
wrap those functions for the sake of insulating ourselves from its
more colourful behaviours. Yep, the standard is not to use these
functions as-is. It would be nice to see them fixed or replaced, but
I'm not holding my breath.
Paddy
--
Pádraic Brady
http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative