Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:71991
Return-Path: <me@rouvenwessling.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66254 invoked from network); 2 Feb 2014 11:08:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Feb 2014 11:08:26 -0000
Authentication-Results: pb1.pair.com smtp.mail=me@rouvenwessling.de; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=me@rouvenwessling.de; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain rouvenwessling.de designates 5.35.242.46 as permitted sender)
X-PHP-List-Original-Sender: me@rouvenwessling.de
X-Host-Fingerprint: 5.35.242.46 rouvenwessling.de Linux 2.6
Received: from [5.35.242.46] ([5.35.242.46:57141] helo=lvps5-35-242-46.dedicated.hosteurope.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id ED/88-30967-8272EE25 for <internals@lists.php.net>; Sun, 02 Feb 2014 06:08:26 -0500
Received: by lvps5-35-242-46.dedicated.hosteurope.de (Postfix, from userid 5001)
	id E414469F03D7; Sun,  2 Feb 2014 12:08:21 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	lvps5-35-242-46.dedicated.hosteurope.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00,
	HTML_MESSAGE autolearn=ham version=3.3.1
Received: from [192.168.0.124] (ip-88-152-3-96.unitymediagroup.de [88.152.3.96])
	by lvps5-35-242-46.dedicated.hosteurope.de (Postfix) with ESMTPA id 31A7669F007D;
	Sun,  2 Feb 2014 12:08:21 +0100 (CET)
Content-Type: multipart/alternative; boundary="Apple-Mail=_CFEE8BC2-5220-4EC9-A6C3-4DBA7C0964BC"
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\))
In-Reply-To: <52EE1C2B.7030702@sugarcrm.com>
Date: Sun, 2 Feb 2014 12:08:22 +0100
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>,
 "internals@lists.php.net" <internals@lists.php.net>
Message-ID: <946C4AF4-4656-4F7A-B1C6-7D1144FEFB3D@rouvenwessling.de>
References: <CAGa2bXbFk3+ScywpkeGcFUcmVvxLRHeWrdObvOshx6NjuB2YHw@mail.gmail.com> <52EDBB30.3070209@ajf.me> <CAGa2bXYMPM2+HinAANcDv2gvGNtfPHYFcKr=qrmXrsRPEbsiog@mail.gmail.com> <52EE1C2B.7030702@sugarcrm.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
X-Mailer: Apple Mail (2.1822)
Subject: Re: [PHP-DEV] [RFC] Improve HTML escape
From: me@rouvenwessling.de (=?iso-8859-1?Q?Rouven_We=DFling?=)

--Apple-Mail=_CFEE8BC2-5220-4EC9-A6C3-4DBA7C0964BC
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii


On 02.02.2014, at 11:21, Stas Malyshev <smalyshev@sugarcrm.com> wrote:

>> Making ENT_QUOTES as a default is good idea also.
>> I should have add this to the RFC.
>=20
> Why is it a good idea? Could you explain what it adds to the security =
of
> this function?

I suppose the argument could be made for "safe by default", since single =
quotes are now valid for HTML attributes as well. (I miss XHTML...)

More interesting to me, what's the use case for ENT_NOQUOTES? This one =
causes issues whatever attribute syntax one chooses.

Best regards
Rouven=

--Apple-Mail=_CFEE8BC2-5220-4EC9-A6C3-4DBA7C0964BC--