Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72141
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67048 invoked from network); 3 Feb 2014 22:14:24 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 22:14:24 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.83 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 108.166.43.83 smtp83.ord1c.emailsrvr.com Linux 2.6
Received: from [108.166.43.83] ([108.166.43.83:41334] helo=smtp83.ord1c.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 42/0A-35654-FB410F25 for <internals@lists.php.net>; Mon, 03 Feb 2014 17:14:23 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp3.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 8A60D503B6;
	Mon,  3 Feb 2014 17:14:21 -0500 (EST)
X-Virus-Scanned: OK
Received: by smtp3.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 430D5503DB;
	Mon,  3 Feb 2014 17:14:21 -0500 (EST)
Message-ID: <52F014C3.4060007@sugarcrm.com>
Date: Mon, 03 Feb 2014 14:14:27 -0800
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
CC: "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXbFk3+ScywpkeGcFUcmVvxLRHeWrdObvOshx6NjuB2YHw@mail.gmail.com> <52EDBB30.3070209@ajf.me> <CAGa2bXYMPM2+HinAANcDv2gvGNtfPHYFcKr=qrmXrsRPEbsiog@mail.gmail.com> <52EE1C2B.7030702@sugarcrm.com> <CAGa2bXYJAz8jMRmL4d9uHvspzg12km=ZosBtvqwywwc1wzmVuw@mail.gmail.com> <52EF50B6.1030404@sugarcrm.com> <CAGa2bXakB1YY4kxJc87m2tzjDjLGkw93QV2WfiN+9XAGUYxQ-A@mail.gmail.com>
In-Reply-To: <CAGa2bXakB1YY4kxJc87m2tzjDjLGkw93QV2WfiN+9XAGUYxQ-A@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC] Improve HTML escape
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

> Some users has to confirm standard like PCI DSS.
> PCI DSS requires to follow security standards and guidelines from OWASP,
> SANS, etc.
> 
> Why not make PHP standard compliant?
> It does not hart existing applications at all and this is simple enough
> change.

I'm sorry, could you please quote me a standard that requires PHP to
escape / in function called htmlentites? If there's no such standard,
the argument of "but the standard requires it" is void. No standard can
require you to use htmlentites where it should not be used. Putting
stuff into language just because somebody in the internet mentioned in
different context that it might be a good idea - is not. We should
understand _why_ it is done and _why_ it is a good idea, especially when
we're talking about security. In this case, the proposed use case should
_never_ be used with htmlentities, due to obvious gaping security hole.
Adding code to enable such scenario is just not right. Instead, we
should tell people "Never ever do it. Ever.".
-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227