rfc:secure-html-escape
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
rfc:secure-html-escape [2014/02/05 02:28] – yohgaki | rfc:secure-html-escape [2017/09/22 13:28] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== PHP RFC: Improve HTML escape ====== | ====== PHP RFC: Improve HTML escape ====== | ||
- | * Version: | + | * Version: |
- | * Date: 2014-02-03 | + | * Created: 2014-02-03 |
+ | * Date: 2014-02-10 | ||
* Author: Yasuo Ohgaki < | * Author: Yasuo Ohgaki < | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
===== Introduction ===== | ===== Introduction ===== | ||
- | HTML escape can be improved by escaping "/" | + | HTML escape can be improved by escaping all dangerous chars. |
OWASP [[https:// | OWASP [[https:// | ||
- | |recommends]] "/" | + | |recommends]] |
- | User may do | + | [[https:// |
+ | <code php> | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | Weak legacy scripts may be protected also by this change. | ||
+ | |||
+ | |||
+ | User may do | ||
<code php> | <code php> | ||
<tag attr=<? | <tag attr=<? | ||
Line 30: | Line 39: | ||
Escaping all chars recommended by OWASP always is more secure and preferred. | Escaping all chars recommended by OWASP always is more secure and preferred. | ||
- | |||
- | [[https:// | ||
- | |||
- | <code php> | ||
- | < | ||
- | </ | ||
- | |||
- | Weak legacy scripts may be protected also. | ||
- | |||
NOTE: PCI DSS standard requires to follow OWASP, SANS, NIST and other security standards and guidelines. | NOTE: PCI DSS standard requires to follow OWASP, SANS, NIST and other security standards and guidelines. | ||
Line 44: | Line 44: | ||
===== Proposal ===== | ===== Proposal ===== | ||
- | * Add "/" | + | Escape all chars OWASP recommends. |
- | * Deprecate ENT_COMPAT/ | + | |
+ | * Deprecate ENT_COMPAT/ | ||
===== Backward Incompatible Changes ===== | ===== Backward Incompatible Changes ===== | ||
Line 62: | Line 63: | ||
- | ===== Proposed Voting Choices | + | ===== Vote ===== |
- | VOTE is not started. | + | VOTE: 2014/02/17 - 2014/02/24 |
<doodle title=" | <doodle title=" | ||
Line 88: | Line 89: | ||
Links to external references, discussions or RFCs | Links to external references, discussions or RFCs | ||
+ | |||
+ | * http:// | ||
===== Rejected Features ===== | ===== Rejected Features ===== |
rfc/secure-html-escape.1391567294.txt.gz · Last modified: 2017/09/22 13:28 (external edit)