Re: [RFC] Improve HTML escape

From:	Rowan Collins	Date:	Tue, 04 Feb 2014 14:53:28 +0000
Subject:	Re: [RFC] Improve HTML escape
References:	1 2 3 4 5 6 7 8 9 10	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Yasuo Ohgaki wrote (on 03/02/2014):
On Tue, Feb 4, 2014 at 7:21 AM, Stas Malyshev <[email protected]>wrote:

Nowhere in any standard it says we must use htmlentities to support
every possible context.

We may or may not support unquoted attributes.
I think it's really dangerous, therefore we my not support it ;)
It may be good for PHP to declare "We support HTML5!", though.

I think part of the misunderstanding here is the distinction between "should PHP support an appropriate escape mechanism for this situation?" and "should the htmlentities() function be extended to be the appropriate escape mechanism for this situation?"

The security requirement is for *users* to use appropriate escaping, and quoting, mechanisms for the output formats they use. The combination of quoted attributes and htmlspecialchars() with ENT_QUOTES is a secure escaping method, provided by the core of PHP.

HTML5 *allows* users to use non-quoted attributes, but PHP does not currently have a built-in function which provides adequate escaping for that scenario. Such a function would need to do more than just escaping /, as others have pointed out; for instance, it would need to either escape, filter, or reject all forms of whitespace.

I have no real opinion on what that function should be, except that I will personally never use it, because I will simply put quotes around my attributes and remove any need for it.

Regards,
Rowan Collins
[IMSoP]




   

Thread (37 messages)

• Yasuo OhgakiSun, 02 Feb 2014 03:09:43 +0000
  • Sara GolemonSun, 02 Feb 2014 03:15:00 +0000
    • Yasuo OhgakiSun, 02 Feb 2014 03:31:19 +0000
      • Sara GolemonSun, 02 Feb 2014 03:35:46 +0000
      • Pavel KouřilSun, 02 Feb 2014 09:38:22 +0000
        • Yasuo OhgakiSun, 02 Feb 2014 09:54:38 +0000
      • Stas MalyshevSun, 02 Feb 2014 10:19:03 +0000
  • Andrea FauldsSun, 02 Feb 2014 03:27:44 +0000
    • Yasuo OhgakiSun, 02 Feb 2014 03:33:37 +0000
      • Stas MalyshevSun, 02 Feb 2014 10:21:31 +0000
        • Rouven WeßlingSun, 02 Feb 2014 11:08:22 +0000
          • Pádraic BradySun, 02 Feb 2014 13:55:32 +0000
            • Rouven WeßlingSun, 02 Feb 2014 22:55:21 +0000
        • Yasuo OhgakiMon, 03 Feb 2014 01:43:48 +0000
          • Yasuo OhgakiMon, 03 Feb 2014 05:33:55 +0000
          • Stas MalyshevMon, 03 Feb 2014 08:17:58 +0000
            • Pádraic BradyMon, 03 Feb 2014 11:06:22 +0000
              • Yasuo OhgakiMon, 03 Feb 2014 22:15:31 +0000
                • Stas MalyshevMon, 03 Feb 2014 22:21:08 +0000
                  • Yasuo OhgakiMon, 03 Feb 2014 22:26:47 +0000
                    • Rowan CollinsTue, 04 Feb 2014 14:53:28 +0000
                      • Pádraic BradyTue, 04 Feb 2014 15:15:45 +0000
            • Yasuo OhgakiMon, 03 Feb 2014 22:04:07 +0000
              • Stas MalyshevMon, 03 Feb 2014 22:14:27 +0000
                • Yasuo OhgakiMon, 03 Feb 2014 22:21:45 +0000
                  • Stas MalyshevMon, 03 Feb 2014 22:24:22 +0000
                    • Yasuo OhgakiMon, 03 Feb 2014 22:31:16 +0000
                      • Lester CaineMon, 03 Feb 2014 23:22:01 +0000
                        • Pádraic BradyTue, 04 Feb 2014 00:20:19 +0000
                        • Yasuo OhgakiTue, 04 Feb 2014 05:46:35 +0000
                • Pádraic BradyMon, 03 Feb 2014 22:31:14 +0000
                  • Yasuo OhgakiMon, 03 Feb 2014 22:37:49 +0000
                    • Yasuo OhgakiMon, 03 Feb 2014 22:44:05 +0000
  • Andrea FauldsTue, 04 Feb 2014 15:57:29 +0000
    • Pádraic BradyTue, 04 Feb 2014 21:22:26 +0000
      • Yasuo OhgakiWed, 05 Feb 2014 02:10:39 +0000
        • Pádraic BradyWed, 05 Feb 2014 10:54:07 +0000