rfc:secure-html-escape

This is an old revision of the document!


PHP RFC: Improve HTML escape

Introduction

HTML escape can be improved by escaping “/”.

OWASP recommends “/” escape.

User may do

  <tag attr=<?php echo htmlentities($str, ENT_QUOTES, 'UTF-8') ?>>

When this is the case, HTML TAG structure is broken. It's broken in first place as attribute is not quoted, but it would not be good to destroy tag structure while we can avoid it.

Or broken HTML parser may recognize JavaScript comment and execute malicious code.

<tag onmouseover="user_code_here;/*"><tag foo="*/ evil_code_here;">
<tag onmouseover=user_code_here;/* ><tag foo=*/evil_code_here; >

Escaping all chars recommended by OWASP always is more secure and preferred.

PHP 5.6 has default character encoding, If PHP ignores ENT_COMPAT, users may write simply

  <textarea><?php echo htmlentities($str); ?></textarea>

Weak legacy scripts may be protected also.

Proposal

  • Add “/” escape by default for htmlentities()/htmlspecialchars(). i.e. Escape all chars recommended by OWASP by default. (Currently ENT_COMPAT is the default).
  • Deprecate ENT_COMPAT/ENT_QUOTES and ignore them.

Backward Incompatible Changes

None for almost all applications.

Since output differs, there might be test program issues.

Proposed PHP Version(s)

PHP 5.6 and up

Open Issues

Proposed Voting Choices

VOTE is not started.

Add / escape and Make ENT_QUOTES default
Real name Yes No
ajf (ajf)  
bwoebi (bwoebi)  
datibbaw (datibbaw)  
derick (derick)  
hradtke (hradtke)  
kassner (kassner)  
klaussilveira (klaussilveira)  
levim (levim)  
lstrojny (lstrojny)  
mbeccati (mbeccati)  
nikic (nikic)  
stas (stas)  
treffynnon (treffynnon)  
zeev (zeev)  
Final result: 4 10
This poll has been closed.

Thank you for voting!

Patches and Tests

TBD

Implementation

After the project is implemented, this section should contain

  1. the version(s) it was merged to
  2. a link to the git commit(s)
  3. a link to the PHP manual entry for the feature

References

Links to external references, discussions or RFCs

Rejected Features

Keep this updated with features that were discussed on the mail lists.

rfc/secure-html-escape.1391567060.txt.gz · Last modified: 2017/09/22 13:28 (external edit)