Differences

This shows you the differences between two versions of the page.

--- rfc:secure-html-escape [2014/02/10 03:00] – yohgaki
+++ rfc:secure-html-escape [2017/09/22 13:28] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== PHP RFC: Improve HTML escape ======
-  * Version: 0.10
+  * Version: 1.0
   * Created: 2014-02-03
   * Date: 2014-02-10
   * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>
-  * Status: Under Discussion
+  * Status: Declined
   * First Published at: http://wiki.php.net/rfc/secure-html-escape
@@ Line 13: / Line 13: @@
 OWASP [[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
-|recommends]] "/" escape.
+|recommends]] escaping "<", ">", """, "'", "&" and "/".
 [[https://wiki.php.net/rfc/default_encoding|PHP 5.6 has default character encoding]], If PHP ignores ENT_COMPAT, users may write simply
@@ Line 44: / Line 44: @@
 ===== Proposal =====
-  * Add "/" escape by default for htmlentities()/htmlspecialchars(). i.e. Escape all chars recommended by OWASP by default. (Currently ENT_COMPAT is the default).
+Escape all chars OWASP recommends.
-  * Deprecate ENT_COMPAT/ENT_QUOTES and ignore them.
+  * Deprecate ENT_COMPAT/ENT_QUOTES and ignore them and add "/" escape.
 ===== Backward Incompatible Changes =====
@@ Line 62: / Line 63: @@
-===== Proposed Voting Choices =====
+===== Vote =====
-VOTE: 2014/02/16 - 2014/02/22
+VOTE: 2014/02/17 - 2014/02/24
 <doodle title="Add / escape and Make ENT_QUOTES default" auth="yohgaki" voteType="single" closed="true">

Differences

Page Tools