rfc:secure-html-escape
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
rfc:secure-html-escape [2014/02/03 05:37] – yohgaki | rfc:secure-html-escape [2014/03/06 20:22] – yohgaki | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== PHP RFC: Improve HTML escape ====== | ====== PHP RFC: Improve HTML escape ====== | ||
- | * Version: | + | * Version: |
- | * Date: 2014-02-02 | + | * Created: 2014-02-03 |
+ | * Date: 2014-02-10 | ||
* Author: Yasuo Ohgaki < | * Author: Yasuo Ohgaki < | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
===== Introduction ===== | ===== Introduction ===== | ||
- | HTML escape can be improved by escaping "/" | + | HTML escape can be improved by escaping all dangerous chars. |
OWASP [[https:// | OWASP [[https:// | ||
- | |recommends]] "/" | + | |recommends]] |
- | User may do | + | [[https:// |
+ | <code php> | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | Weak legacy scripts may be protected also by this change. | ||
+ | |||
+ | |||
+ | User may do | ||
+ | <code php> | ||
<tag attr=<? | <tag attr=<? | ||
+ | </ | ||
When this is the case, HTML TAG structure is broken. It's broken in first place as attribute is not quoted, but it would not be good to destroy tag structure while we can avoid it. | When this is the case, HTML TAG structure is broken. It's broken in first place as attribute is not quoted, but it would not be good to destroy tag structure while we can avoid it. | ||
- | It's better to escape all chars recommended by OWASP. | + | Or broken HTML parser may recognize JavaScript comment and execute malicious code. |
+ | <code html> | ||
+ | <tag onmouseover=" | ||
+ | <tag onmouseover=user_code_here;/ | ||
+ | </ | ||
+ | |||
+ | Escaping all chars recommended by OWASP always is more secure and preferred. | ||
+ | |||
+ | NOTE: PCI DSS standard requires to follow OWASP, SANS, NIST and other security standards and guidelines. | ||
===== Proposal ===== | ===== Proposal ===== | ||
- | * Add "/" | + | Escape all chars OWASP recommends. |
- | * Deprecate ENT_COMPAT/ | + | |
+ | * Deprecate ENT_COMPAT/ | ||
===== Backward Incompatible Changes ===== | ===== Backward Incompatible Changes ===== | ||
- | None for most applications. | + | None for almost all applications. |
Since output differs, there might be test program issues. | Since output differs, there might be test program issues. | ||
===== Proposed PHP Version(s) ===== | ===== Proposed PHP Version(s) ===== | ||
- | |||
- | PHP 5.4 and up | ||
- | |||
- | or | ||
PHP 5.6 and up | PHP 5.6 and up | ||
Line 45: | Line 61: | ||
===== Open Issues ===== | ===== Open Issues ===== | ||
- | Which version to introduce. | ||
- | ===== Proposed Voting Choices | + | ===== Vote ===== |
- | VOTE is not started. | + | VOTE: 2014/02/17 - 2014/02/24 |
- | <doodle title=" | + | <doodle title=" |
* Yes | * Yes | ||
* No | * No | ||
Line 74: | Line 89: | ||
Links to external references, discussions or RFCs | Links to external references, discussions or RFCs | ||
+ | |||
+ | * http:// | ||
===== Rejected Features ===== | ===== Rejected Features ===== |
rfc/secure-html-escape.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1