rfc:secure-html-escape
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
rfc:secure-html-escape [2014/02/05 02:24] – yohgaki | rfc:secure-html-escape [2014/03/06 20:22] – yohgaki | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== PHP RFC: Improve HTML escape ====== | ====== PHP RFC: Improve HTML escape ====== | ||
- | * Version: | + | * Version: |
- | * Date: 2014-02-03 | + | * Created: 2014-02-03 |
+ | * Date: 2014-02-10 | ||
* Author: Yasuo Ohgaki < | * Author: Yasuo Ohgaki < | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
===== Introduction ===== | ===== Introduction ===== | ||
- | HTML escape can be improved by escaping "/" | + | HTML escape can be improved by escaping all dangerous chars. |
OWASP [[https:// | OWASP [[https:// | ||
- | |recommends]] "/" | + | |recommends]] |
- | User may do | + | [[https:// |
+ | <code php> | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | Weak legacy scripts may be protected also by this change. | ||
+ | |||
+ | |||
+ | User may do | ||
<code php> | <code php> | ||
<tag attr=<? | <tag attr=<? | ||
Line 31: | Line 40: | ||
Escaping all chars recommended by OWASP always is more secure and preferred. | Escaping all chars recommended by OWASP always is more secure and preferred. | ||
- | [[https:// | + | NOTE: PCI DSS standard requires to follow OWASP, SANS, NIST and other security standards and guidelines. |
- | + | ||
- | <code php> | + | |
- | < | + | |
- | </ | + | |
- | + | ||
- | Weak legacy scripts may be protected also. | + | |
===== Proposal ===== | ===== Proposal ===== | ||
- | * Add "/" | + | Escape all chars OWASP recommends. |
- | * Deprecate ENT_COMPAT/ | + | |
+ | * Deprecate ENT_COMPAT/ | ||
===== Backward Incompatible Changes ===== | ===== Backward Incompatible Changes ===== | ||
Line 59: | Line 63: | ||
- | ===== Proposed Voting Choices | + | ===== Vote ===== |
- | VOTE is not started. | + | VOTE: 2014/02/17 - 2014/02/24 |
- | <doodle title=" | + | <doodle title=" |
* Yes | * Yes | ||
* No | * No | ||
Line 85: | Line 89: | ||
Links to external references, discussions or RFCs | Links to external references, discussions or RFCs | ||
+ | |||
+ | * http:// | ||
===== Rejected Features ===== | ===== Rejected Features ===== |
rfc/secure-html-escape.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1