rfc:secure-html-escape

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
rfc:secure-html-escape [2014/02/03 05:44] yohgakirfc:secure-html-escape [2017/09/22 13:28] (current) – external edit 127.0.0.1
Line 1: Line 1:
  
 ====== PHP RFC: Improve HTML escape ====== ====== PHP RFC: Improve HTML escape ======
-  * Version: 0.9 +  * Version: 1.0 
-  * Date: 2014-02-02+  * Created: 2014-02-03 
 +  * Date: 2014-02-10
   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>
-  * Status: Under Discussion+  * Status: Declined
   * First Published at: http://wiki.php.net/rfc/secure-html-escape   * First Published at: http://wiki.php.net/rfc/secure-html-escape
  
 ===== Introduction ===== ===== Introduction =====
  
-HTML escape can be improved by escaping "/".+HTML escape can be improved by escaping all dangerous chars. HTML escape can be improved by escaping "<", ">", """, "'", "&" and "/".
  
 OWASP [[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content OWASP [[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
-|recommends]] "/" escape.+|recommends]] escaping "<", ">", """, "'", "&" and "/".
  
-User may do+[[https://wiki.php.net/rfc/default_encoding|PHP 5.6 has default character encoding]], If PHP ignores ENT_COMPAT, users may write simply 
  
 +<code php>
 +  <textarea><?php echo htmlentities($str); ?></textarea>
 +</code>
 +
 +Weak legacy scripts may be protected also by this change.
 +
 +
 +User may do
 +<code php>
   <tag attr=<?php echo htmlentities($str, ENT_QUOTES, 'UTF-8') ?>>   <tag attr=<?php echo htmlentities($str, ENT_QUOTES, 'UTF-8') ?>>
 +</code>
  
 When this is the case, HTML TAG structure is broken. It's broken in first place as attribute is not quoted, but it would not be good to destroy tag structure while we can avoid it. When this is the case, HTML TAG structure is broken. It's broken in first place as attribute is not quoted, but it would not be good to destroy tag structure while we can avoid it.
  
-It's better to escape all chars recommended by OWASP+Or broken HTML parser may recognize JavaScript comment and execute malicious code
  
-Since [[https://wiki.php.net/rfc/default_encoding|PHP 5.6 has default character encoding]], users may simply write+<code html> 
 +<tag onmouseover="user_code_here;/*"><tag foo="*evil_code_here;"> 
 +<tag onmouseover=user_code_here;/* ><tag foo=*/evil_code_here;
 +</code>
  
-  <textarea><?php echo htmlentities($str); ?></textarea>+Escaping all chars recommended by OWASP always is more secure and preferred.
  
-If PHP ignores ENT_COMPATweak legacy scripts may be protected also.+NOTE: PCI DSS standard requires to follow OWASPSANS, NIST and other security standards and guidelines.
  
 ===== Proposal ===== ===== Proposal =====
  
-  * Add "/" escape by default for htmlentities()/htmlspecialchars(). i.e. Escape all chars recommended by OWASP by default. (Currently ENT_COMPAT is the default)+Escape all chars OWASP recommends. 
-  * Deprecate ENT_COMPAT/ENT_QUOTES and ignore them.+ 
 +  * Deprecate ENT_COMPAT/ENT_QUOTES and ignore them and add "/" escape.
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
  
-None for most applications.+None for almost all applications.
  
 Since output differs, there might be test program issues. Since output differs, there might be test program issues.
  
 ===== Proposed PHP Version(s) ===== ===== Proposed PHP Version(s) =====
- 
-PHP 5.4 and up 
- 
-or 
  
 PHP 5.6 and up PHP 5.6 and up
Line 50: Line 61:
 ===== Open Issues ===== ===== Open Issues =====
  
-Which version to introduce. 
  
  
-===== Proposed Voting Choices =====+===== Vote =====
  
  
-VOTE is not started.+VOTE: 2014/02/17 - 2014/02/24
    
 <doodle title="Add / escape and Make ENT_QUOTES default" auth="yohgaki" voteType="single" closed="true"> <doodle title="Add / escape and Make ENT_QUOTES default" auth="yohgaki" voteType="single" closed="true">
Line 79: Line 89:
  
 Links to external references, discussions or RFCs Links to external references, discussions or RFCs
 +
 +  * http://marc.info/?l=php-internals&m=139131067522473&w=2
  
 ===== Rejected Features ===== ===== Rejected Features =====
rfc/secure-html-escape.1391406286.txt.gz · Last modified: 2017/09/22 13:28 (external edit)