Hi Stas,
On Tue, Feb 4, 2014 at 7:24 AM, Stas Malyshev <[email protected]>wrote:
> > I've already written the URL to OWASP.
> >
> > PCI DSS v3 states in section 6.5
> >
> > Develop applications based on secure coding guidelines.
>
> Secure coding guidelines in this case is to not use htmlentities in this
> context. If you already violate this requirement, why would you expect
> PHP to un-violate it for you?
I'm lost here.
OWASP suggests to escape at least
& --> &
< --> <
> --> >
" --> "
' --> ' ' not recommended because its not in the HTML spec
(See: section 24.4.1) ' is in the XML and XHTML specs.
/ --> / forward slash is included as it helps end an HTML entity
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
I'm not sure why you state "already violate this requirement".
Regards,
--
Yasuo Ohgaki
[email protected]