rfc:secure-html-escape

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
rfc:secure-html-escape [2014/02/05 02:23] yohgakirfc:secure-html-escape [2014/03/06 20:23] yohgaki
Line 1: Line 1:
  
 ====== PHP RFC: Improve HTML escape ====== ====== PHP RFC: Improve HTML escape ======
-  * Version: 0.10 +  * Version: 1.0 
-  * Date: 2014-02-03+  * Created: 2014-02-03 
 +  * Date: 2014-02-10
   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>
-  * Status: Under Discussion+  * Status: Declined
   * First Published at: http://wiki.php.net/rfc/secure-html-escape   * First Published at: http://wiki.php.net/rfc/secure-html-escape
  
 ===== Introduction ===== ===== Introduction =====
  
-HTML escape can be improved by escaping "/".+HTML escape can be improved by escaping all dangerous chars. HTML escape can be improved by escaping "<", ">", """, "'", "&" and "/".
  
 OWASP [[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content OWASP [[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
-|recommends]] "/" escape.+|recommends]] escaping "<", ">", """, "'", "&" and "/".
  
-User may do+[[https://wiki.php.net/rfc/default_encoding|PHP 5.6 has default character encoding]], If PHP ignores ENT_COMPAT, users may write simply 
  
 +<code php>
 +  <textarea><?php echo htmlentities($str); ?></textarea>
 +</code>
 +
 +Weak legacy scripts may be protected also by this change.
 +
 +
 +User may do
 <code php> <code php>
   <tag attr=<?php echo htmlentities($str, ENT_QUOTES, 'UTF-8') ?>>   <tag attr=<?php echo htmlentities($str, ENT_QUOTES, 'UTF-8') ?>>
Line 25: Line 34:
  
 <code html> <code html>
-<tag onmouseover="user_code_here; /*"><tag foo="*/evil_code_here;"> +<tag onmouseover="user_code_here;/*"><tag foo="*/ evil_code_here;"> 
-<tag onmouseover=user_code_here;/* ><tag foo=*/evil_code_here; >+<tag onmouseover=user_code_here;/* ><tag foo=*/evil_code_here; >
 </code> </code>
  
 Escaping all chars recommended by OWASP always is more secure and preferred. Escaping all chars recommended by OWASP always is more secure and preferred.
  
-[[https://wiki.php.net/rfc/default_encoding|PHP 5.6 has default character encoding]]If PHP ignores ENT_COMPATusers may write simply  +NOTEPCI DSS standard requires to follow OWASPSANSNIST and other security standards and guidelines.
- +
-<code php> +
-  <textarea><?php echo htmlentities($str); ?></textarea> +
-</code> +
- +
-Weak legacy scripts may be protected also.+
  
 ===== Proposal ===== ===== Proposal =====
  
-  * Add "/" escape by default for htmlentities()/htmlspecialchars(). i.e. Escape all chars recommended by OWASP by default. (Currently ENT_COMPAT is the default)+Escape all chars OWASP recommends. 
-  * Deprecate ENT_COMPAT/ENT_QUOTES and ignore them.+ 
 +  * Deprecate ENT_COMPAT/ENT_QUOTES and ignore them and add "/" escape.
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
Line 59: Line 63:
  
  
-===== Proposed Voting Choices =====+===== Vote =====
  
  
-VOTE is not started.+VOTE: 2014/02/17 - 2014/02/24
    
 <doodle title="Add / escape and Make ENT_QUOTES default" auth="yohgaki" voteType="single" closed="true"> <doodle title="Add / escape and Make ENT_QUOTES default" auth="yohgaki" voteType="single" closed="true">
Line 85: Line 89:
  
 Links to external references, discussions or RFCs Links to external references, discussions or RFCs
 +
 +  * http://marc.info/?l=php-internals&m=139131067522473&w=2
  
 ===== Rejected Features ===== ===== Rejected Features =====
rfc/secure-html-escape.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1

Page Tools