Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:45699
Return-Path: <ebihara@tejimaya.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 65976 invoked from network); 8 Oct 2009 19:26:55 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 8 Oct 2009 19:26:55 -0000
Authentication-Results: pb1.pair.com smtp.mail=ebihara@tejimaya.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ebihara@tejimaya.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain tejimaya.com designates 202.229.220.107 as permitted sender)
X-PHP-List-Original-Sender: ebihara@tejimaya.com
X-Host-Fingerprint: 202.229.220.107 tejimaya.com Linux 2.6
Received: from [202.229.220.107] ([202.229.220.107:40257] helo=tejimaya.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D6/F5-33969-DFC3ECA4 for <internals@lists.php.net>; Thu, 08 Oct 2009 15:26:55 -0400
Received: (qmail 12812 invoked by SAV 20091008.023 by uid 0); 9 Oct 2009 04:26:49 +0900
Received: from unknown (HELO ?192.168.1.21?) (ebihara@tejimaya.com@122.249.238.232)
  by dc7.etius.jp (202.229.220.107) with ESMTPA; 9 Oct 2009 04:26:49 +0900
Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Date: Fri, 9 Oct 2009 04:26:48 +0900
To: internals@lists.php.net
Message-ID: <64C0D3FB-9681-4448-891A-2B341143AB08@tejimaya.com>
Mime-Version: 1.0 (Apple Message framework v1076)
X-Mailer: Apple Mail (2.1076)
Subject: #49785  htmlspecialchars() should check byte sequence more strictly
From: ebihara@tejimaya.com (Kousuke Ebihara)

Hi,

Jani closed the following bug report:

#49785 htmlspecialchars() should check byte sequence more strictly
http://bugs.php.net/bug.php?id=49785

But I think that his reaction isn't good. Does he understand this  
problem truly? This is a SECURITY PROBLEM.
Some Japanese experts in security discussed about this problem. This  
report is the result of those discussions.

I explain about this problem in English: http://co3k.org/sample/php_bugs_49785.html

Do you still want to reject this problem?

We want to talk about this problem with another one who is well  
informed about encoding. Would you bring such one?

Thanks,

--
Kousuke Ebihara
ebihara@tejimaya.com
http://sns.openpne.jp/?a=page_f_home&target_c_member_id=807
OpenPNE Project http://www.openpne.jp
Tejimaya.inc http://tejimaya.com