Re: [RFC] Improve HTML escape

From: Date: Tue, 04 Feb 2014 14:53:28 +0000
Subject: Re: [RFC] Improve HTML escape
References: 1 2 3 4 5 6 7 8 9 10  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
Yasuo Ohgaki wrote (on 03/02/2014):
On Tue, Feb 4, 2014 at 7:21 AM, Stas Malyshev <[email protected]>wrote:
Nowhere in any standard it says we must use htmlentities to support every possible context.
We may or may not support unquoted attributes. I think it's really dangerous, therefore we my not support it ;) It may be good for PHP to declare "We support HTML5!", though.
I think part of the misunderstanding here is the distinction between "should PHP support an appropriate escape mechanism for this situation?" and "should the htmlentities() function be extended to be the appropriate escape mechanism for this situation?" The security requirement is for *users* to use appropriate escaping, and quoting, mechanisms for the output formats they use. The combination of quoted attributes and htmlspecialchars() with ENT_QUOTES is a secure escaping method, provided by the core of PHP. HTML5 *allows* users to use non-quoted attributes, but PHP does not currently have a built-in function which provides adequate escaping for that scenario. Such a function would need to do more than just escaping /, as others have pointed out; for instance, it would need to either escape, filter, or reject all forms of whitespace. I have no real opinion on what that function should be, except that I will personally never use it, because I will simply put quotes around my attributes and remove any need for it. Regards, Rowan Collins [IMSoP]

Thread (37 messages)

« previous php.internals (#72199) next »