Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72079
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 48136 invoked from network); 3 Feb 2014 11:06:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 11:06:26 -0000
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.175 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.160.175 mail-yk0-f175.google.com  
Received: from [209.85.160.175] ([209.85.160.175:63218] helo=mail-yk0-f175.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8E/52-35654-1387FE25 for <internals@lists.php.net>; Mon, 03 Feb 2014 06:06:26 -0500
Received: by mail-yk0-f175.google.com with SMTP id q200so37821023ykb.6
        for <internals@lists.php.net>; Mon, 03 Feb 2014 03:06:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=lCe6G/r3Ko1b9bP/D45B5tPvffJZ6AptSydR/TfyoHg=;
        b=VRJ++3LOhuXXBab+5cwroD+vsWI/h7kFKLPtERhXTLFk8g/1Sjbjf8vDfn9gQTH/lx
         qa3ZisF6Nv/dvZDNVkOrC32ytvoiry2PgZgDi55fmyOo2trFY28ZonPuaaortp2iuIea
         8XZ4UGAQVSGrNN4dXe8cjlXoYG0VAzqCIo4GK7MWN184e4KnoIVMVd85VqYyMvZ9RePa
         /lKmpaDyTKD4oawxE3YxjSDPmkY1GnDLWAWt0NKfWGKleGW7kzyqgPj4vrEWE38NERpW
         SoQmNIifS1KZtrkY5dt79HBLCLXS46HyZdb00XPFd+OwBwfF1kpSzbyEbUAfP4RCFN19
         jd2A==
MIME-Version: 1.0
X-Received: by 10.236.27.49 with SMTP id d37mr12709yha.128.1391425582548; Mon,
 03 Feb 2014 03:06:22 -0800 (PST)
Received: by 10.170.215.130 with HTTP; Mon, 3 Feb 2014 03:06:22 -0800 (PST)
In-Reply-To: <52EF50B6.1030404@sugarcrm.com>
References: <CAGa2bXbFk3+ScywpkeGcFUcmVvxLRHeWrdObvOshx6NjuB2YHw@mail.gmail.com>
	<52EDBB30.3070209@ajf.me>
	<CAGa2bXYMPM2+HinAANcDv2gvGNtfPHYFcKr=qrmXrsRPEbsiog@mail.gmail.com>
	<52EE1C2B.7030702@sugarcrm.com>
	<CAGa2bXYJAz8jMRmL4d9uHvspzg12km=ZosBtvqwywwc1wzmVuw@mail.gmail.com>
	<52EF50B6.1030404@sugarcrm.com>
Date: Mon, 3 Feb 2014 11:06:22 +0000
Message-ID: <CALwr1Gn95__kSkJfhseemSN=kugeymeW0-sT4yPC9_XBZp4VJg@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [RFC] Improve HTML escape
From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=)

Hi Stas,

On 3 February 2014 08:17, Stas Malyshev <smalyshev@sugarcrm.com> wrote:
>
> Hi!
>
> > Users can do
> >
> > <tag attr=3D'<?php echo htmlentities($str)?>' >
>
> They also can do <? echo $str; ?> and <? eval($_GET['f']); ?>. That's
> not what they _should_ be doing, but they _can_ do it. That doesn't mean
> there's something wrong with echo or PHP compiler.

I don't believe this has anything to do with the question at hand.

> > and this is valid. I think there is no reason not to escape ' by defaul=
t.
> >
> > I agree that user should not use unquoted attributes in general.
> >
> > '/' escape  could be still useful. For example, user may have validatio=
n
>
> I don't see how it would be useful.

I'm not sure it is either. OWASP definitely notes it, but it's not an attri=
bute

termination character inside quotes.


> > There is no reason not to escape these chars by default. IMHO.
>
> There is a reason - there's no reason to escape them. In every scenario
> that htmlentites should be used, escaping them is useless. In every
> scenario where espacing / is useful, htmlentities should not be used. By
> promoting usage of htmlentities in scenarios where it should absolutely
> not be used, we are only doing the users a disservice.


There are three ways to present an attribute value validly in HTML5:

1. Double quoted
2. Single quoted
3. Unquoted.

Bearing in mind that people who use htmlentities() make a mockery of UTF-8 =
by

overescaping and increasing output page size for no good reason whatsoever,=
 both

htmlspecialchars() and htmlentities() only work by default for the first op=
tion.

They do not work by default for the last two options.

In userland, virtually all security-concious libraries and frameworks cover=
 TWO

options: 1 and 2 by setting ENT_QUOTES. It seems reasonable for PHP to make=
 the

change also unless it has some hitherto unmentioned downside.

Also, for reference, here is the actual paragraph from the OWASP XSS cheats=
heet:

"Escape the following characters with HTML entity encoding to prevent switc=
hing

into any execution context, such as script, style, or event handlers. Using=
 hex

entities is recommended in the spec. In addition to the 5 characters signif=
icant

in XML (&, <, >, ", '), the forward slash is included as it helps to end an=
 HTML

entity."

I read "entity" as "tag".


--
P=C3=A1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative