Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72137
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 61321 invoked from network); 3 Feb 2014 22:04:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 22:04:52 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.43 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.43 mail-la0-f43.google.com  
Received: from [209.85.215.43] ([209.85.215.43:58032] helo=mail-la0-f43.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 10/B8-35654-38210F25 for <internals@lists.php.net>; Mon, 03 Feb 2014 17:04:52 -0500
Received: by mail-la0-f43.google.com with SMTP id pv20so5892375lab.16
        for <internals@lists.php.net>; Mon, 03 Feb 2014 14:04:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=A5/oI29OYNpylzOOg/DjkZXkTPqIpYLO7/3lpA9GwwA=;
        b=RzGWEEaSgUJ/Y3HNqvP7SNBDJy5wozNeq2c71TcfCqsF8Fdk3NNrc+oXzje70wd+yY
         osNBv8yyN3QpQp/irO40cQPXJGy48KDM5VJyAK+Z1+ZCFbcuhMXctt3xn/CQwV15gLEu
         0EhnSKmRW8T7dgiGvED6tdd69UuWTf0ZaOzCOrL2B1Hw1fUrQa8v1oNxokhYPuqpiwfI
         9cMWLzeGkSO1IMdA3AXKxk8MJJaNTOfNYZbBxlph1b9US7vvibD1HzYHv358GSI9KTiD
         Hl28e95b5Zz/6DkVulMngIG+1IgIZrcplDawNOeemUtOx4BMtN73023JoDXUzlICNY2b
         froA==
X-Received: by 10.152.120.37 with SMTP id kz5mr3462563lab.30.1391465087986;
 Mon, 03 Feb 2014 14:04:47 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Mon, 3 Feb 2014 14:04:07 -0800 (PST)
In-Reply-To: <52EF50B6.1030404@sugarcrm.com>
References: <CAGa2bXbFk3+ScywpkeGcFUcmVvxLRHeWrdObvOshx6NjuB2YHw@mail.gmail.com>
 <52EDBB30.3070209@ajf.me> <CAGa2bXYMPM2+HinAANcDv2gvGNtfPHYFcKr=qrmXrsRPEbsiog@mail.gmail.com>
 <52EE1C2B.7030702@sugarcrm.com> <CAGa2bXYJAz8jMRmL4d9uHvspzg12km=ZosBtvqwywwc1wzmVuw@mail.gmail.com>
 <52EF50B6.1030404@sugarcrm.com>
Date: Tue, 4 Feb 2014 07:04:07 +0900
X-Google-Sender-Auth: O296nAPRjnZnaQLbfuQNae8NchE
Message-ID: <CAGa2bXakB1YY4kxJc87m2tzjDjLGkw93QV2WfiN+9XAGUYxQ-A@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e012281484970e904f187b617
Subject: Re: [PHP-DEV] [RFC] Improve HTML escape
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e012281484970e904f187b617
Content-Type: text/plain; charset=UTF-8

Hi Stas,

On Mon, Feb 3, 2014 at 5:17 PM, Stas Malyshev <smalyshev@sugarcrm.com>wrote:

> > Users can do
> >
> > <tag attr='<?php echo htmlentities($str)?>' >
>
> They also can do <? echo $str; ?> and <? eval($_GET['f']); ?>. That's
> not what they _should_ be doing, but they _can_ do it. That doesn't mean
> there's something wrong with echo or PHP compiler.
>
> > and this is valid. I think there is no reason not to escape ' by default.
> >
> > I agree that user should not use unquoted attributes in general.
> >
> > '/' escape  could be still useful. For example, user may have validation
>
> I don't see how it would be useful.
>
> > code that allows printable ASCII chars w/o spaces. '/' escape may protect
> > apps from generating invalid tag in this case.
>
> This seems to be a very contrives scenario invented to fit your point.
> If they already pre-filter input, they could also remove / or other
> special characters. The fact is that htmlentities is useless as security
> feature in this context, and removing / does not make it useful. Saying
> "we'll add escape so that it would be safe" is magic-quotes kind of
> mistake - it gives the users wrong impression that it's OK to do things
> that they should not be doing.
>
> > There is no reason not to escape these chars by default. IMHO.
>
> There is a reason - there's no reason to escape them. In every scenario
> that htmlentites should be used, escaping them is useless. In every
> scenario where espacing / is useful, htmlentities should not be used. By
> promoting usage of htmlentities in scenarios where it should absolutely
> not be used, we are only doing the users a disservice.


I think we have different perspectives.

Some users has to confirm standard like PCI DSS.
PCI DSS requires to follow security standards and guidelines from OWASP,
SANS, etc.

Why not make PHP standard compliant?
It does not hart existing applications at all and this is simple enough
change.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--089e012281484970e904f187b617--