rfc:secure-html-escape
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
rfc:secure-html-escape [2014/02/03 05:52] – yohgaki | rfc:secure-html-escape [2014/03/06 20:22] – yohgaki | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== PHP RFC: Improve HTML escape ====== | ====== PHP RFC: Improve HTML escape ====== | ||
- | * Version: | + | * Version: |
- | * Date: 2014-02-03 | + | * Created: 2014-02-03 |
+ | * Date: 2014-02-10 | ||
* Author: Yasuo Ohgaki < | * Author: Yasuo Ohgaki < | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
===== Introduction ===== | ===== Introduction ===== | ||
- | HTML escape can be improved by escaping "/" | + | HTML escape can be improved by escaping all dangerous chars. |
OWASP [[https:// | OWASP [[https:// | ||
- | |recommends]] "/" | + | |recommends]] |
- | User may do | + | [[https:// |
+ | <code php> | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | Weak legacy scripts may be protected also by this change. | ||
+ | |||
+ | |||
+ | User may do | ||
<code php> | <code php> | ||
<tag attr=<? | <tag attr=<? | ||
Line 22: | Line 31: | ||
When this is the case, HTML TAG structure is broken. It's broken in first place as attribute is not quoted, but it would not be good to destroy tag structure while we can avoid it. | When this is the case, HTML TAG structure is broken. It's broken in first place as attribute is not quoted, but it would not be good to destroy tag structure while we can avoid it. | ||
- | Escaping all chars recommended by OWASP always is more secure | + | Or broken HTML parser may recognize JavaScript comment |
- | [[https:// | + | < |
- | + | <tag onmouseover=" | |
- | < | + | <tag onmouseover=user_code_here; |
- | <textarea><?php echo htmlentities($str); ?></textarea> | + | |
</ | </ | ||
- | Weak legacy scripts may be protected also. | + | Escaping all chars recommended by OWASP always is more secure and preferred. |
+ | |||
+ | NOTE: PCI DSS standard requires to follow OWASP, SANS, NIST and other security standards and guidelines. | ||
===== Proposal ===== | ===== Proposal ===== | ||
- | * Add "/" | + | Escape all chars OWASP recommends. |
- | * Deprecate ENT_COMPAT/ | + | |
+ | * Deprecate ENT_COMPAT/ | ||
===== Backward Incompatible Changes ===== | ===== Backward Incompatible Changes ===== | ||
Line 52: | Line 63: | ||
- | ===== Proposed Voting Choices | + | ===== Vote ===== |
- | VOTE is not started. | + | VOTE: 2014/02/17 - 2014/02/24 |
- | <doodle title=" | + | <doodle title=" |
* Yes | * Yes | ||
* No | * No | ||
Line 78: | Line 89: | ||
Links to external references, discussions or RFCs | Links to external references, discussions or RFCs | ||
+ | |||
+ | * http:// | ||
===== Rejected Features ===== | ===== Rejected Features ===== |
rfc/secure-html-escape.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1