Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:112619 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 31569 invoked from network); 26 Dec 2020 12:01:03 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 26 Dec 2020 12:01:03 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id BB6831804F2 for ; Sat, 26 Dec 2020 03:34:41 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 26 Dec 2020 03:34:41 -0800 (PST) Received: by mail-pl1-f180.google.com with SMTP id s15so3385472plr.9 for ; Sat, 26 Dec 2020 03:34:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=817U/05irwxU5KQwhZ6jc8CEi+eJIYJgLRG9oprNLBg=; b=pI36gVmF+eyOk9kif66gmyKrWSg8zZXvb+ZL18nyNG/cJbCOsHJuxq5Jhl99a5yVTn JuBOfBnjbfdpBi8u3m4TeoMhZ39ArADU74tizUISUin3MrDOv+JbNkjoVUg0NDGX0HI5 hPnKHxjdmct1xZkrb6wcrgYmYzlOab8DUlJ26DUQSfDtCACg9gttjHrpeIiBp3UuNgER TvjDgj2MdVELu3VfaShco015otpNzFYoLwopOF3orQEryg1fDSQbBSxiX5exnBUBDZdf Hl+0vEy5wOkz5kR0D7DeIfY4LWl8No8hgmMySO4glodl2/PbIpp7VlMQB+exCqQuufk/ sFQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=817U/05irwxU5KQwhZ6jc8CEi+eJIYJgLRG9oprNLBg=; b=kuregwd+BATHN4JrBW7pTLCXEgRYxrUeXlmZfU0FuY9u/axIzn4mi0U/8b/zkWo6QC 6j+LnGqYl/nfmuOhvbO//gNkNiw8lFZFRHdUsfhoewuNrsjgNWPMIqUsVMN+i4nHcnvp uZDpphMbrC+abaQ+fVJpqOLr8xzUp6MQdjF1M0Fidjznmn8/LOMRZbPPUPBGIk0VFhfC sswi05BppmkDUnd+c4YdOa23KeenomYGKCLlvYUGwVlxDe9Yx14Ef5OtX40ldkbZc9QQ MA8+M6geLD5VPPoLIIt/MfM3/0udSDjmKQ1AnvwuksXs5O8F0Ksc0/Y10N90wW1VHdGO c4mw== X-Gm-Message-State: AOAM530FWlzzFszy4uW1mmvnBA45reSGmsD3PYQnLpnNaqAXx+SmIJ5l Fx8ye99SKTpqGp6kXorsMpZXrCHA5EDT/mSvnDZ1g+Gc3xc= X-Google-Smtp-Source: ABdhPJzNk4HWvmU2oQ2ajEycixAVF9euKU+2DFs4I5JCyokwptAdyWojpHvAmzWI3TT+Fmrp9vJvnooZ5f2izgFpLXM= X-Received: by 2002:a17:90a:1f01:: with SMTP id u1mr12318416pja.62.1608982478533; Sat, 26 Dec 2020 03:34:38 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Sat, 26 Dec 2020 12:34:24 +0100 Message-ID: To: PHP internals Content-Type: multipart/alternative; boundary="0000000000001536cc05b75c6dbe" Subject: Re: [PHP-DEV] ENT_COMPAT for htmlentities and htmlspecialchars From: divinity76@gmail.com (Hans Henrik Bergan) --0000000000001536cc05b75c6dbe Content-Type: text/plain; charset="UTF-8" FWIW i'm surprised with the lack of ENT_DISALLOWED , personally i use tohtml(string $str):string{ return htmlentities($str, ENT_QUOTES | ENT_HTML401 | ENT_SUBSTITUTE | ENT_DISALLOWED, 'UTF-8', true);} On Sat, 26 Dec 2020 at 12:03, Craig Francis wrote: > Hi, > > Could htmlspecialchars() use ENT_QUOTES by default? > > I recently worked on an example script, where I tried to keep it simple by > using htmlspecialchars directly, e.g. > > echo ""; > > I'd completely forgotten that single quotes are not escaped by default, > creating a XSS vulnerability, e.g. > > $url = "/' onerror='alert(1)"; > > All the common frameworks I could find use ENT_QUOTES to do this safely > (details below). > > Christoph (cmb69) suggests this was done for HTML4 compatibility, with > older versions of PHP possibly having issues with numeric character > references (a quick search suggests PHP 5.4?). > > PHP uses the numeric version ' with ENT_QUOTES, and it should continue > to do so - because the named version, ' was added in HTML5, but can > still cause problems with legacy parsers; for example Android 4, and the > one still in use by Microsoft Outlook (&/>/< was in the > original HTML spec, and " was added in HTML2). > > I'd also be tempted to suggest ENT_SUBSTITUTE should be included, as I > prefer to keep as much of the valid data (rather than losing everything), > but that's not as important as escaping the apostrophe by default. > > Craig > > > > > WordPress uses ENT_QUOTES (ish). > > https://developer.wordpress.org/reference/functions/esc_html/ > > Laravel, with Blade, uses ENT_QUOTES: > > https://github.com/illuminate/support/blob/master/helpers.php#L118 > > Symfony or Slim, with Twig, uses ENT_QUOTES | ENT_SUBSTITUTE: > > > https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L243 > > CodeIgniter uses ENT_QUOTES | ENT_SUBSTITUTE: > > > https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/ThirdParty/Escaper/Escaper.php#L120 > > CakePHP uses ENT_QUOTES | ENT_SUBSTITUTE: > > https://github.com/cakephp/cakephp/blob/master/src/Core/functions.php#L67 > > YII uses ENT_QUOTES | ENT_SUBSTITUTE: > > > https://github.com/yiisoft/yii2/blob/master/framework/helpers/BaseHtml.php#L111 > > Phalcon uses ENT_QUOTES: > > https://github.com/phalcon/phalcon/blob/v5.0.x/src/Html/Escaper.php#L78 > > FuelPHP uses ENT_QUOTES: > > https://github.com/fuel/core/blob/1.9/develop/config/config.php#L459 > --0000000000001536cc05b75c6dbe--