This is an old revision of the document!
PHP RFC: Improve HTML escape
- Version: 0.9
- Date: 2014-02-02
- Author: Yasuo Ohgaki yohgaki@ohgaki.net
- Status: Under Discussion
- First Published at: http://wiki.php.net/rfc/secure-html-escape
Introduction
HTML escape can be improved by escaping “/”.
OWASP recommends “/” escape.
User may do
<tag attr=<?php echo htmlentities($str, ENT_QUOTES, 'UTF-8') ?>>
When this is the case, HTML TAG structure is broken. It's broken in first place as attribute is not quoted, but it would not be good to destroy tag structure while we can avoid it.
It's better to escape all chars recommended by OWASP.
Since PHP 5.6 has default character encoding, users may simply write
<textarea><?php echo htmlentities($str); ?></textarea>
If PHP ignores ENT_COMPAT, weak legacy scripts may be protected also.
Proposal
- Add “/” escape by default for htmlentities()/htmlspecialchars(). i.e. Escape all chars recommended by OWASP by default. (Currently ENT_COMPAT is the default).
- Deprecate ENT_COMPAT/ENT_QUOTES and ignore them.
Backward Incompatible Changes
None for most applications.
Since output differs, there might be test program issues.
Proposed PHP Version(s)
PHP 5.4 and up
or
PHP 5.6 and up
Open Issues
Which version to introduce.
Proposed Voting Choices
VOTE is not started.
Thank you for voting!
Patches and Tests
TBD
Implementation
After the project is implemented, this section should contain
- the version(s) it was merged to
- a link to the git commit(s)
- a link to the PHP manual entry for the feature
References
Links to external references, discussions or RFCs
Rejected Features
Keep this updated with features that were discussed on the mail lists.