Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:112782 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 34775 invoked from network); 6 Jan 2021 16:10:28 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 6 Jan 2021 16:10:28 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 364BA1804E4 for ; Wed, 6 Jan 2021 07:46:57 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_40,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 6 Jan 2021 07:46:56 -0800 (PST) Received: by mail-lf1-f51.google.com with SMTP id l11so7612997lfg.0 for ; Wed, 06 Jan 2021 07:46:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3LvWdMJjyGGmMHB0axuafAk1ZZGUNlaXf/PgQ8dGpu8=; b=B+IkXnkT9P9wmuYveIzEt2BFUIYgR3e5NbvxF65eTmBfSPpEfVZne2MjsAHFJhuJM/ W/mtZLV9G9o9mPI23mHhV1jQUcIdqsBXp6CjuiG+8lUVafsWwAckySyPc7cFu7KISZOT Yh4zSznF3T75vGWz0i3G/ud/JDWPY/oGMUGv0c98f8FEHKdis+s6pKkbWs4DyLhC3/Um /fYIiQKwNgBZC3S+Hs/7cfcmdhwlStPM01inVfDBcjPJHhFXL6nbOAqKzUEAJ4LZiJd9 ymO0lWxdOgTfVOcGP4Zr9BzMiW8IOcEAL2kOjFifniZXO3+pOiYCcEbmTSKd550jx4pe oDvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3LvWdMJjyGGmMHB0axuafAk1ZZGUNlaXf/PgQ8dGpu8=; b=Z1bsHc8GmnUN8OjKL92+gEWMb6LO0+UwHrO86k4SGgi+HUflGiXVLWFdEuMY+sjiqx RjVmW+cVPTOFh1gHDUGRyl+1/luUoH6+L9eimlf2iGVs8UA2GSh4ekXfbQjJ0aZtXi49 0s5HDH7kAEJWKuvIvKHb2yQRceSE/YLrVNgvwedZJxeVIk29mHhZwhewIxTxan8ZD0B/ xu1TNv4wE3STJVFW2pJO24/IQrQbXLL+HAb6vknASk71UjWVcuRBp58BHvYEQ4seOt1e yVfDR5a+Ouiw6Uc98PHp9FuCw+SCQkErCG3q4X3CE0BxBfzgXflSNyC96efpoQA2Afy+ RhMQ== X-Gm-Message-State: AOAM530LSnKs6InMIKljs9QXzZ+sc9UnAkv4fHXxcWWdFe6pXq9fc9EE z5UC1T3LZjjgQ1FLjx2NPuSCnqlLMzeWUr83nkLJGSoDtSI= X-Google-Smtp-Source: ABdhPJyd0c4R/eN4keU2EOnc39ZfHdIMvToMFoPqikvSCSk9W0K4VklssLPvM1+dyiXO6sl2dE06enmK56+cl69zI48= X-Received: by 2002:a2e:9f53:: with SMTP id v19mr2187180ljk.109.1609948014612; Wed, 06 Jan 2021 07:46:54 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Wed, 6 Jan 2021 16:46:38 +0100 Message-ID: To: Craig Francis Cc: PHP internals Content-Type: multipart/alternative; boundary="00000000000084938b05b83d3be6" Subject: Re: [PHP-DEV] ENT_COMPAT for htmlentities and htmlspecialchars From: nikita.ppv@gmail.com (Nikita Popov) --00000000000084938b05b83d3be6 Content-Type: text/plain; charset="UTF-8" On Sat, Dec 26, 2020 at 12:03 PM Craig Francis wrote: > Hi, > > Could htmlspecialchars() use ENT_QUOTES by default? > > I recently worked on an example script, where I tried to keep it simple by > using htmlspecialchars directly, e.g. > > echo ""; > > I'd completely forgotten that single quotes are not escaped by default, > creating a XSS vulnerability, e.g. > > $url = "/' onerror='alert(1)"; > > All the common frameworks I could find use ENT_QUOTES to do this safely > (details below). > > Christoph (cmb69) suggests this was done for HTML4 compatibility, with > older versions of PHP possibly having issues with numeric character > references (a quick search suggests PHP 5.4?). > > PHP uses the numeric version ' with ENT_QUOTES, and it should continue > to do so - because the named version, ' was added in HTML5, but can > still cause problems with legacy parsers; for example Android 4, and the > one still in use by Microsoft Outlook (&/>/< was in the > original HTML spec, and " was added in HTML2). > > I'd also be tempted to suggest ENT_SUBSTITUTE should be included, as I > prefer to keep as much of the valid data (rather than losing everything), > but that's not as important as escaping the apostrophe by default. > > Craig > > > > > WordPress uses ENT_QUOTES (ish). > > https://developer.wordpress.org/reference/functions/esc_html/ > > Laravel, with Blade, uses ENT_QUOTES: > > https://github.com/illuminate/support/blob/master/helpers.php#L118 > > Symfony or Slim, with Twig, uses ENT_QUOTES | ENT_SUBSTITUTE: > > > https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L243 > > CodeIgniter uses ENT_QUOTES | ENT_SUBSTITUTE: > > > https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/ThirdParty/Escaper/Escaper.php#L120 > > CakePHP uses ENT_QUOTES | ENT_SUBSTITUTE: > > https://github.com/cakephp/cakephp/blob/master/src/Core/functions.php#L67 > > YII uses ENT_QUOTES | ENT_SUBSTITUTE: > > > https://github.com/yiisoft/yii2/blob/master/framework/helpers/BaseHtml.php#L111 > > Phalcon uses ENT_QUOTES: > > https://github.com/phalcon/phalcon/blob/v5.0.x/src/Html/Escaper.php#L78 > > FuelPHP uses ENT_QUOTES: > > https://github.com/fuel/core/blob/1.9/develop/config/config.php#L459 I agree that we should switch the default to ENT_QUOTES. I also agree that we should enable ENT_SUBSTITUTE by default. I don't see any downside to these two options. Would you like to submit a PR? Nikita --00000000000084938b05b83d3be6--