Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72038 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 77688 invoked from network); 3 Feb 2014 05:34:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 05:34:41 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.175 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.175 mail-lb0-f175.google.com Received: from [209.85.217.175] ([209.85.217.175:55507] helo=mail-lb0-f175.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 90/11-03615-F6A2FE25 for ; Mon, 03 Feb 2014 00:34:40 -0500 Received: by mail-lb0-f175.google.com with SMTP id p9so4916966lbv.6 for ; Sun, 02 Feb 2014 21:34:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=6t+5IGdnQyB56xngnWzb9kPwluuZnMeOrzs6gnDCiGc=; b=fJLC+YkR89AFoDi758r/v82cK1jW2EX8hdPRhzg9d1U5aZUnxSsuLnXKm0+T6ImXdl GrX5FRj5ZHi7oS0uMqxvlsXBJbxfEKIWtmOVzp6igbL+67bQNr4UzGUPat9By48mJN7k /gahVlI3HCA31aOPKgvZVeoA7RIsOw+4X3bp9Qvpu+Td9BgvNv17/bVC8yGmZ5Kr+BTR QknlheQodQ9/5jVKtDybwypqwMYV/xnUGoxasD9wZw7K3Y+wHxeLTS3nR5DZlU3nu0wJ c66pZslM9yh/ROv9EN+A7uY1UlwdtXVZBgaVr0XFDwveVXDe8812mYhbCh6XVH+KcEC4 vIjw== X-Received: by 10.112.158.131 with SMTP id wu3mr22665571lbb.6.1391405676124; Sun, 02 Feb 2014 21:34:36 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Sun, 2 Feb 2014 21:33:55 -0800 (PST) In-Reply-To: References: <52EDBB30.3070209@ajf.me> <52EE1C2B.7030702@sugarcrm.com> Date: Mon, 3 Feb 2014 14:33:55 +0900 X-Google-Sender-Auth: syKiOFD506LSuUVs6fhzYquZXXI Message-ID: To: Stas Malyshev Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c37b32105f5404f179e131 Subject: Re: [PHP-DEV] [RFC] Improve HTML escape From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c37b32105f5404f179e131 Content-Type: text/plain; charset=UTF-8 Hi all, On Mon, Feb 3, 2014 at 10:43 AM, Yasuo Ohgaki wrote: > On Sun, Feb 2, 2014 at 7:21 PM, Stas Malyshev wrote: > >> > Making ENT_QUOTES as a default is good idea also. >> > I should have add this to the RFC. >> >> Why is it a good idea? Could you explain what it adds to the security of >> this function? > > > Users can do > > > > and this is valid. I think there is no reason not to escape ' by default. > > I agree that user should not use unquoted attributes in general. > > '/' escape could be still useful. For example, user may have validation > code that allows printable ASCII chars w/o spaces. '/' escape may protect > apps from generating invalid tag in this case. > > We could say "your application is broken in first place". > However, both "'" and '/" escapes do not break apps at all, yet it > covers some issues. > > There is no reason not to escape these chars by default. IMHO. > Even we may deprecate ENT_COMPAT and ENT_QUOTES. We may ignore them and escape all chars recommended by OWASP always. (Except ENT_NOQUOTES) I think ENT_COMPAT/ENT_QUOTES does bad things rather than good. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c37b32105f5404f179e131--