Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72147 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 75070 invoked from network); 3 Feb 2014 22:22:30 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 22:22:30 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.52 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.52 mail-la0-f52.google.com Received: from [209.85.215.52] ([209.85.215.52:42822] helo=mail-la0-f52.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B1/EB-35654-5A610F25 for ; Mon, 03 Feb 2014 17:22:29 -0500 Received: by mail-la0-f52.google.com with SMTP id c6so5963865lan.11 for ; Mon, 03 Feb 2014 14:22:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=N3CNw3jrt1HZgwQUAmeTWJawcQAanSOWTPDO2XN2DhQ=; b=mHL9Cjtiai/GIbUpB5Rxg58rj7y0T+Zk35JCafVwEW3J041PHu+2dvscnNibrZJW+J iNgypOz9Z7smoOPUxt9ukeDGaDBEKZYEs22w4dza46nqERP/ZdvzMl8AvkDXqS1WK/jj fzqaC6IvX/Ifl0A1wMUfRa82+JO5W6ysTmiBDSpzep6iS+b5LDewyLcr8hXUaKYNOr3s 8eZKX9i5tSCP2r0hhTWVKNFkYIUDnncxhpz6fxd0MjTasPbhXsWdbX5zcMV8CbryZrW2 Zt8OuUesshzF77bwJH0qt4b8URlFyjfPDhPqOTV10tuF4b1fQSRtK2bGIArj/AgV/rh8 9y8A== X-Received: by 10.112.88.233 with SMTP id bj9mr25881183lbb.10.1391466146483; Mon, 03 Feb 2014 14:22:26 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Mon, 3 Feb 2014 14:21:45 -0800 (PST) In-Reply-To: <52F014C3.4060007@sugarcrm.com> References: <52EDBB30.3070209@ajf.me> <52EE1C2B.7030702@sugarcrm.com> <52EF50B6.1030404@sugarcrm.com> <52F014C3.4060007@sugarcrm.com> Date: Tue, 4 Feb 2014 07:21:45 +0900 X-Google-Sender-Auth: kjzFGOiIMTBIX6n9e0O9M0loATs Message-ID: To: Stas Malyshev Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c36ad460d4ea04f187f5d1 Subject: Re: [PHP-DEV] [RFC] Improve HTML escape From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c36ad460d4ea04f187f5d1 Content-Type: text/plain; charset=UTF-8 Hi Stas, On Tue, Feb 4, 2014 at 7:14 AM, Stas Malyshev wrote: > > Some users has to confirm standard like PCI DSS. > > PCI DSS requires to follow security standards and guidelines from OWASP, > > SANS, etc. > > > > Why not make PHP standard compliant? > > It does not hart existing applications at all and this is simple enough > > change. > > I'm sorry, could you please quote me a standard that requires PHP to > escape / in function called htmlentites? I've already written the URL to OWASP. PCI DSS v3 states in section 6.5 Develop applications based on secure coding guidelines. Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c36ad460d4ea04f187f5d1--