Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:112617
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 25678 invoked from network); 26 Dec 2020 11:29:15 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 26 Dec 2020 11:29:15 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id C3E421804BE
	for <internals@lists.php.net>; Sat, 26 Dec 2020 03:02:55 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_20,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 26 Dec 2020 03:02:55 -0800 (PST)
Received: by mail-wm1-f42.google.com with SMTP id a6so5252740wmc.2
        for <internals@lists.php.net>; Sat, 26 Dec 2020 03:02:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:from:date:message-id:subject:to;
        bh=De69T4KXRKero5vMDveryppqcy1yVhSxMyVhCEtkrR0=;
        b=WoFCHwyg+Yw56Aeudb5+CPKmh4xNiRSavWkWN8x+84xRJ5fL5aAIKnxOqsQMFsFL2k
         ojED2Mx9ndjaNAD0BOOV/Ce4x7sENfIeZptVfILPPvXCY1m3Q2DjGYkSdvgpUpcL7giE
         j3Sl1aEQV9z95Utw75XYXV8SEKPv4B9kdpYEI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=De69T4KXRKero5vMDveryppqcy1yVhSxMyVhCEtkrR0=;
        b=O7QPspTSEtNYTfZ7NS/FNFb/U3RRpnFPg0wTTKUcpsAfo9Tf6vDMi6c/ceAa7nBmE4
         LQq7PfpHYCneh6i/52mN4R8p7QrtS6S0Hh4zU7fnTIkXYzczp+snjmsqxiqbIlxCgJi8
         64Bx1ok8mSiUe3q2DssEh/4VumOZGldUcNu1MFdfVawSEQjO2py3dYDBtb7cy5oUyFRi
         7iTelunQtFD+s2TvO0SvdNCzk4ZNK5no3LszPjw0vNwjYPoTHveyvrkhwsdhPp1iF8+y
         1pU6YBC3ZEUrriR5nX6Xmsyy2qtHbP66VQ3s8qzOrWqlvlpHgvvMfE351L4FA738jRwQ
         9OUg==
X-Gm-Message-State: AOAM532d1wbCDsxMQgnfRri4oyTR+vQ3/6y9az4junczVrl9/Edn5fxf
	6t1dW9Y5wLL9yFUr7uMrfNFa6AyvoEKHJ+vImu51T5Z1nTPWn8lw
X-Google-Smtp-Source: ABdhPJzVDxcyogT3W5UEAc9PYLiDv+Bcf/ajl2Ik9DCVn+dZwq4wXQhGFl81Fb7GVNyVBdFxNOZsKeifTzrB8F5Cjtw=
X-Received: by 2002:a05:600c:d8:: with SMTP id u24mr12006657wmm.103.1608980573524;
 Sat, 26 Dec 2020 03:02:53 -0800 (PST)
MIME-Version: 1.0
Date: Sat, 26 Dec 2020 11:02:42 +0000
Message-ID: <CAFv4g+GezouDRdyeyOV2eTvNi0K-jko+jf2QBc+MhjbwNiqR1Q@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000089262505b75bfbd0"
Subject: ENT_COMPAT for htmlentities and htmlspecialchars
From: craig@craigfrancis.co.uk (Craig Francis)

--00000000000089262505b75bfbd0
Content-Type: text/plain; charset="UTF-8"

Hi,

Could htmlspecialchars() use ENT_QUOTES by default?

I recently worked on an example script, where I tried to keep it simple by
using htmlspecialchars directly, e.g.

    echo "<img src='" . htmlspecialchars($url) . "'>";

I'd completely forgotten that single quotes are not escaped by default,
creating a XSS vulnerability, e.g.

    $url = "/' onerror='alert(1)";

All the common frameworks I could find use ENT_QUOTES to do this safely
(details below).

Christoph (cmb69) suggests this was done for HTML4 compatibility, with
older versions of PHP possibly having issues with numeric character
references (a quick search suggests PHP 5.4?).

PHP uses the numeric version &#039; with ENT_QUOTES, and it should continue
to do so - because the named version, &apos; was added in HTML5, but can
still cause problems with legacy parsers; for example Android 4, and the
one still in use by Microsoft Outlook (&amp;/&gt;/&lt; was in the
original HTML spec, and &quot; was added in HTML2).

I'd also be tempted to suggest ENT_SUBSTITUTE should be included, as I
prefer to keep as much of the valid data (rather than losing everything),
but that's not as important as escaping the apostrophe by default.

Craig




WordPress uses ENT_QUOTES (ish).

https://developer.wordpress.org/reference/functions/esc_html/

Laravel, with Blade, uses ENT_QUOTES:

https://github.com/illuminate/support/blob/master/helpers.php#L118

Symfony or Slim, with Twig, uses ENT_QUOTES | ENT_SUBSTITUTE:

https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L243

CodeIgniter uses ENT_QUOTES | ENT_SUBSTITUTE:

https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/ThirdParty/Escaper/Escaper.php#L120

CakePHP uses ENT_QUOTES | ENT_SUBSTITUTE:

https://github.com/cakephp/cakephp/blob/master/src/Core/functions.php#L67

YII uses ENT_QUOTES | ENT_SUBSTITUTE:

https://github.com/yiisoft/yii2/blob/master/framework/helpers/BaseHtml.php#L111

Phalcon uses ENT_QUOTES:

https://github.com/phalcon/phalcon/blob/v5.0.x/src/Html/Escaper.php#L78

FuelPHP uses ENT_QUOTES:

https://github.com/fuel/core/blob/1.9/develop/config/config.php#L459

--00000000000089262505b75bfbd0--