rfc:secure-html-escape
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
Previous revisionNext revision | |||
— | rfc:secure-html-escape [2014/02/17 05:23] – yohgaki | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | |||
+ | ====== PHP RFC: Improve HTML escape ====== | ||
+ | * Version: 1.0 | ||
+ | * Created: 2014-02-03 | ||
+ | * Date: 2014-02-10 | ||
+ | * Author: Yasuo Ohgaki < | ||
+ | * Status: Vote | ||
+ | * First Published at: http:// | ||
+ | |||
+ | ===== Introduction ===== | ||
+ | |||
+ | HTML escape can be improved by escaping all dangerous chars. HTML escape can be improved by escaping "<", | ||
+ | |||
+ | OWASP [[https:// | ||
+ | |recommends]] escaping "<", | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | <code php> | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | Weak legacy scripts may be protected also by this change. | ||
+ | |||
+ | |||
+ | User may do | ||
+ | <code php> | ||
+ | <tag attr=<? | ||
+ | </ | ||
+ | |||
+ | When this is the case, HTML TAG structure is broken. It's broken in first place as attribute is not quoted, but it would not be good to destroy tag structure while we can avoid it. | ||
+ | |||
+ | Or broken HTML parser may recognize JavaScript comment and execute malicious code. | ||
+ | |||
+ | <code html> | ||
+ | <tag onmouseover=" | ||
+ | <tag onmouseover=user_code_here;/ | ||
+ | </ | ||
+ | |||
+ | Escaping all chars recommended by OWASP always is more secure and preferred. | ||
+ | |||
+ | NOTE: PCI DSS standard requires to follow OWASP, SANS, NIST and other security standards and guidelines. | ||
+ | |||
+ | ===== Proposal ===== | ||
+ | |||
+ | Escape all chars OWASP recommends. | ||
+ | |||
+ | * Deprecate ENT_COMPAT/ | ||
+ | |||
+ | ===== Backward Incompatible Changes ===== | ||
+ | |||
+ | None for almost all applications. | ||
+ | |||
+ | Since output differs, there might be test program issues. | ||
+ | |||
+ | ===== Proposed PHP Version(s) ===== | ||
+ | |||
+ | PHP 5.6 and up | ||
+ | |||
+ | |||
+ | ===== Open Issues ===== | ||
+ | |||
+ | |||
+ | |||
+ | ===== Vote ===== | ||
+ | |||
+ | |||
+ | VOTE: 2014/02/17 - 2014/02/22 | ||
+ | |||
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
+ | |||
+ | Thank you for voting! | ||
+ | |||
+ | ===== Patches and Tests ===== | ||
+ | |||
+ | TBD | ||
+ | |||
+ | ===== Implementation ===== | ||
+ | |||
+ | After the project is implemented, | ||
+ | - the version(s) it was merged to | ||
+ | - a link to the git commit(s) | ||
+ | - a link to the PHP manual entry for the feature | ||
+ | |||
+ | ===== References ===== | ||
+ | |||
+ | Links to external references, discussions or RFCs | ||
+ | |||
+ | * http:// | ||
+ | |||
+ | ===== Rejected Features ===== | ||
+ | |||
+ | Keep this updated with features that were discussed on the mail lists. | ||
+ | |||
rfc/secure-html-escape.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1