Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:112789
Return-Path: <claude.pache@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6580 invoked from network); 7 Jan 2021 09:24:02 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 7 Jan 2021 09:24:02 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id E90F5180503
	for <internals@lists.php.net>; Thu,  7 Jan 2021 01:00:41 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <claude.pache@gmail.com>
Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu,  7 Jan 2021 01:00:41 -0800 (PST)
Received: by mail-wm1-f46.google.com with SMTP id 190so4511862wmz.0
        for <internals@lists.php.net>; Thu, 07 Jan 2021 01:00:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:message-id:mime-version:subject:date:in-reply-to:cc:to
         :references;
        bh=LPdfYLsyY7Pz/OKHM+niPhMU5UEUlXFC80ts/m8QOgE=;
        b=qt/ZN4psiGQNmk9YcsD/ft3wbjDXuDi3Sq7I4StwyWVYqaLE+sLm4TAA+TvTVaEhL5
         kDHUEn66TguyycNJeOk/Mye60L2FM1sK6pibSRz/ieSvl5AXu/s68ENDKL8ZieQ5JbjD
         ZIQvF/HjD06oCYuM0qqpTOQOhzl6rC01Aa5gGYWprGgV9tjDq3TVXmRoG9iYKLJu3sdf
         SGyVpQBUn0LrfwIr0zvU0jwxc/6MGOJ3w8YyIERkVubBngP6zaJ22mslma3DGVTuCdr2
         IJ8IggqOvIvIQB9gAFkY/Vl/1NvvUYSgSVNGRFT19Rv7QA4jYHpCxjqI/bvPgAmLXkUj
         gXEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:message-id:mime-version:subject:date
         :in-reply-to:cc:to:references;
        bh=LPdfYLsyY7Pz/OKHM+niPhMU5UEUlXFC80ts/m8QOgE=;
        b=r2v2Jk2JFP199VFm7tDtlVoRcMYpgLk+IxGGdu2Z7nhWLoX0744LjNFN1sV5X4L9rY
         3QJ5TekPSXfyI45NqGB9CYOFwjDIe21mALPhgkUbGZFVXztPJZWYCQFj8DHdQa/jtKf/
         o+5c1SJjhMVS+U08oZ8sSKPqeRs0AuQMMOF7PfbsjF+L/+tzeNYYb/ESDNYbKj2/RaAZ
         a9t+Qq5O3BZslKwj0MCUNOlJ4H3RBXzOfVSkXFiBiUEj8c3WrtaeWHhQP5y+cKAVD9r1
         A/aZGiSE89DqzIqh0Jkg7ximVWBNw+gQorxtMf0/5hhcqo60raou7wQN7g8lQ+wKb9Un
         OPXQ==
X-Gm-Message-State: AOAM5326Na+3hMHWJv8I2oMpSfR3RAatppDssfQjMXKGthxLiihb/VMe
	H05nmoOrjsww/06PsL6h5M8=
X-Google-Smtp-Source: ABdhPJyrPgvuBP01YS9ojyG7c9noESlodCkXnbYIrrVQxnFSVjbg7jX44KkuOa6YB4H0Zkj62Z8QrA==
X-Received: by 2002:a7b:c8da:: with SMTP id f26mr7241391wml.155.1610010036230;
        Thu, 07 Jan 2021 01:00:36 -0800 (PST)
Received: from claude.fritz.box ([89.249.45.14])
        by smtp.gmail.com with ESMTPSA id l16sm7094291wrx.5.2021.01.07.01.00.34
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 07 Jan 2021 01:00:34 -0800 (PST)
Message-ID: <99C71641-5A5B-49C8-8D96-F0C080352B91@gmail.com>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_2CE0B141-A294-45B8-B033-C352FCE6A550"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Thu, 7 Jan 2021 10:00:33 +0100
In-Reply-To: <CAF+90c-Zhsw-s1VjN1NXHEkuYO+wOTVwbkMbNOJ=EA3mdnQGwQ@mail.gmail.com>
Cc: Craig Francis <craig@craigfrancis.co.uk>,
 PHP internals <internals@lists.php.net>
To: Nikita Popov <nikita.ppv@gmail.com>
References: <CAFv4g+GezouDRdyeyOV2eTvNi0K-jko+jf2QBc+MhjbwNiqR1Q@mail.gmail.com>
 <CAF+90c-Zhsw-s1VjN1NXHEkuYO+wOTVwbkMbNOJ=EA3mdnQGwQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Subject: Re: [PHP-DEV] ENT_COMPAT for htmlentities and htmlspecialchars
From: claude.pache@gmail.com (Claude Pache)

--Apple-Mail=_2CE0B141-A294-45B8-B033-C352FCE6A550
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8



> Le 6 janv. 2021 =C3=A0 16:46, Nikita Popov <nikita.ppv@gmail.com> a =
=C3=A9crit :
>=20
> On Sat, Dec 26, 2020 at 12:03 PM Craig Francis =
<craig@craigfrancis.co.uk>
> wrote:
>=20
>> Hi,
>>=20
>> Could htmlspecialchars() use ENT_QUOTES by default?
>>=20
>> I recently worked on an example script, where I tried to keep it =
simple by
>> using htmlspecialchars directly, e.g.
>>=20
>>    echo "<img src=3D'" . htmlspecialchars($url) . "'>";
>>=20
>> I'd completely forgotten that single quotes are not escaped by =
default,
>> creating a XSS vulnerability, e.g.
>>=20
>>    $url =3D "/' onerror=3D'alert(1)";
>>=20
>> All the common frameworks I could find use ENT_QUOTES to do this =
safely
>> (details below).
>>=20
>> Christoph (cmb69) suggests this was done for HTML4 compatibility, =
with
>> older versions of PHP possibly having issues with numeric character
>> references (a quick search suggests PHP 5.4?).
>>=20
>> PHP uses the numeric version &#039; with ENT_QUOTES, and it should =
continue
>> to do so - because the named version, &apos; was added in HTML5, but =
can
>> still cause problems with legacy parsers; for example Android 4, and =
the
>> one still in use by Microsoft Outlook (&amp;/&gt;/&lt; was in the
>> original HTML spec, and &quot; was added in HTML2).
>>=20
>> I'd also be tempted to suggest ENT_SUBSTITUTE should be included, as =
I
>> prefer to keep as much of the valid data (rather than losing =
everything),
>> but that's not as important as escaping the apostrophe by default.
>>=20
>> Craig
>>=20
>>=20
>>=20
>>=20
>> WordPress uses ENT_QUOTES (ish).
>>=20
>> https://developer.wordpress.org/reference/functions/esc_html/
>>=20
>> Laravel, with Blade, uses ENT_QUOTES:
>>=20
>> https://github.com/illuminate/support/blob/master/helpers.php#L118
>>=20
>> Symfony or Slim, with Twig, uses ENT_QUOTES | ENT_SUBSTITUTE:
>>=20
>>=20
>> =
https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.ph=
p#L243
>>=20
>> CodeIgniter uses ENT_QUOTES | ENT_SUBSTITUTE:
>>=20
>>=20
>> =
https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/ThirdPart=
y/Escaper/Escaper.php#L120
>>=20
>> CakePHP uses ENT_QUOTES | ENT_SUBSTITUTE:
>>=20
>> =
https://github.com/cakephp/cakephp/blob/master/src/Core/functions.php#L67
>>=20
>> YII uses ENT_QUOTES | ENT_SUBSTITUTE:
>>=20
>>=20
>> =
https://github.com/yiisoft/yii2/blob/master/framework/helpers/BaseHtml.php=
#L111
>>=20
>> Phalcon uses ENT_QUOTES:
>>=20
>> =
https://github.com/phalcon/phalcon/blob/v5.0.x/src/Html/Escaper.php#L78
>>=20
>> FuelPHP uses ENT_QUOTES:
>>=20
>> https://github.com/fuel/core/blob/1.9/develop/config/config.php#L459
>=20
>=20
> I agree that we should switch the default to ENT_QUOTES. I also agree =
that
> we should enable ENT_SUBSTITUTE by default. I don't see any downside =
to
> these two options.
>=20
> Would you like to submit a PR?
>=20
> Nikita


For ENT_SUBSTITUTE, there has been https://bugs.php.net/bug.php?id=3D69450=
 <https://bugs.php.net/bug.php?id=3D69450>, but I don=E2=80=99t =
understand the objection in that bug report. Maybe there is some issue =
related to non-Unicode multibyte encodings?

=E2=80=94Claude


--Apple-Mail=_2CE0B141-A294-45B8-B033-C352FCE6A550--