PHP RFC: Improve HTML escape
HTML escape can be improved by escaping all dangerous chars. HTML escape can be improved by escaping ”<”, ”>”, ”””, ”'”, ”&” and ”/”.
OWASP recommends escaping ”<”, ”>”, ”””, ”'”, ”&” and ”/”.
PHP 5.6 has default character encoding, If PHP ignores ENT_COMPAT, users may write simply
<textarea><?php echo htmlentities($str); ?></textarea>
Weak legacy scripts may be protected also by this change.
User may do
<tag attr=<?php echo htmlentities($str, ENT_QUOTES, 'UTF-8') ?>>
When this is the case, HTML TAG structure is broken. It's broken in first place as attribute is not quoted, but it would not be good to destroy tag structure while we can avoid it.
<tag onmouseover="user_code_here;/*"><tag foo="*/ evil_code_here;"> <tag onmouseover=user_code_here;/* ><tag foo=*/evil_code_here; >
Escaping all chars recommended by OWASP always is more secure and preferred.
NOTE: PCI DSS standard requires to follow OWASP, SANS, NIST and other security standards and guidelines.
Escape all chars OWASP recommends.
- Deprecate ENT_COMPAT/ENT_QUOTES and ignore them and add ”/” escape.
Backward Incompatible Changes
None for almost all applications.
Since output differs, there might be test program issues.
Proposed PHP Version(s)
PHP 5.6 and up
VOTE: 2014/02/17 - 2014/02/24
Thank you for voting!
Patches and Tests
After the project is implemented, this section should contain
- the version(s) it was merged to
- a link to the git commit(s)
- a link to the PHP manual entry for the feature
Links to external references, discussions or RFCs
Keep this updated with features that were discussed on the mail lists.