rfc:secure-html-escape

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
rfc:secure-html-escape [2014/02/05 02:23] yohgakirfc:secure-html-escape [2017/09/22 13:28] (current) – external edit 127.0.0.1
Line 1: Line 1:
  
 ====== PHP RFC: Improve HTML escape ====== ====== PHP RFC: Improve HTML escape ======
-  * Version: 0.10 +  * Version: 1.0 
-  * Date: 2014-02-03+  * Created: 2014-02-03 
 +  * Date: 2014-02-10
   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>
-  * Status: Under Discussion+  * Status: Declined
   * First Published at: http://wiki.php.net/rfc/secure-html-escape   * First Published at: http://wiki.php.net/rfc/secure-html-escape
  
 ===== Introduction ===== ===== Introduction =====
  
-HTML escape can be improved by escaping "/".+HTML escape can be improved by escaping all dangerous chars. HTML escape can be improved by escaping "<", ">", """, "'", "&" and "/".
  
 OWASP [[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content OWASP [[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
-|recommends]] "/" escape.+|recommends]] escaping "<", ">", """, "'", "&" and "/".
  
-User may do+[[https://wiki.php.net/rfc/default_encoding|PHP 5.6 has default character encoding]], If PHP ignores ENT_COMPAT, users may write simply 
  
 +<code php>
 +  <textarea><?php echo htmlentities($str); ?></textarea>
 +</code>
 +
 +Weak legacy scripts may be protected also by this change.
 +
 +
 +User may do
 <code php> <code php>
   <tag attr=<?php echo htmlentities($str, ENT_QUOTES, 'UTF-8') ?>>   <tag attr=<?php echo htmlentities($str, ENT_QUOTES, 'UTF-8') ?>>
Line 25: Line 34:
  
 <code html> <code html>
-<tag onmouseover="user_code_here; /*"><tag foo="*/evil_code_here;"> +<tag onmouseover="user_code_here;/*"><tag foo="*/ evil_code_here;"> 
-<tag onmouseover=user_code_here;/* ><tag foo=*/evil_code_here; >+<tag onmouseover=user_code_here;/* ><tag foo=*/evil_code_here; >
 </code> </code>
  
 Escaping all chars recommended by OWASP always is more secure and preferred. Escaping all chars recommended by OWASP always is more secure and preferred.
  
-[[https://wiki.php.net/rfc/default_encoding|PHP 5.6 has default character encoding]]If PHP ignores ENT_COMPATusers may write simply  +NOTEPCI DSS standard requires to follow OWASPSANSNIST and other security standards and guidelines.
- +
-<code php> +
-  <textarea><?php echo htmlentities($str); ?></textarea> +
-</code> +
- +
-Weak legacy scripts may be protected also.+
  
 ===== Proposal ===== ===== Proposal =====
  
-  * Add "/" escape by default for htmlentities()/htmlspecialchars(). i.e. Escape all chars recommended by OWASP by default. (Currently ENT_COMPAT is the default)+Escape all chars OWASP recommends. 
-  * Deprecate ENT_COMPAT/ENT_QUOTES and ignore them.+ 
 +  * Deprecate ENT_COMPAT/ENT_QUOTES and ignore them and add "/" escape.
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
Line 59: Line 63:
  
  
-===== Proposed Voting Choices =====+===== Vote =====
  
  
-VOTE is not started.+VOTE: 2014/02/17 - 2014/02/24
    
 <doodle title="Add / escape and Make ENT_QUOTES default" auth="yohgaki" voteType="single" closed="true"> <doodle title="Add / escape and Make ENT_QUOTES default" auth="yohgaki" voteType="single" closed="true">
Line 85: Line 89:
  
 Links to external references, discussions or RFCs Links to external references, discussions or RFCs
 +
 +  * http://marc.info/?l=php-internals&m=139131067522473&w=2
  
 ===== Rejected Features ===== ===== Rejected Features =====
rfc/secure-html-escape.1391566992.txt.gz · Last modified: 2017/09/22 13:28 (external edit)