Re: [RFC] Improve HTML escape

From: Date: Mon, 03 Feb 2014 22:31:16 +0000
Subject: Re: [RFC] Improve HTML escape
References: 1 2 3 4 5 6 7 8 9 10  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
Hi Stas,

On Tue, Feb 4, 2014 at 7:24 AM, Stas Malyshev <[email protected]>wrote:

> > I've already written the URL to OWASP.
> >
> > PCI DSS v3 states in section 6.5
> >
> > Develop applications based on secure coding guidelines.
>
> Secure coding guidelines in this case is to not use htmlentities in this
> context. If you already violate this requirement, why would you expect
> PHP to un-violate it for you?


I'm lost here.
OWASP suggests to escape at least

 & --> &amp;
 < --> &lt;
 > --> &gt;
 " --> &quot;
 ' --> &#x27;     &apos; not recommended because its not in the HTML spec
(See: section 24.4.1) &apos; is in the XML and XHTML specs.
 / --> &#x2F;     forward slash is included as it helps end an HTML entity

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content

I'm not sure why you state "already violate this requirement".

Regards,

--
Yasuo Ohgaki
[email protected]


Thread (37 messages)

« previous php.internals (#72151) next »