Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72148
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 76784 invoked from network); 3 Feb 2014 22:24:19 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 22:24:19 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.75 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 108.166.43.75 smtp75.ord1c.emailsrvr.com Linux 2.6
Received: from [108.166.43.75] ([108.166.43.75:54911] helo=smtp75.ord1c.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 61/5C-35654-21710F25 for <internals@lists.php.net>; Mon, 03 Feb 2014 17:24:19 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp2.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 913501E80AA;
	Mon,  3 Feb 2014 17:24:16 -0500 (EST)
X-Virus-Scanned: OK
Received: by smtp2.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 4EB011E80CF;
	Mon,  3 Feb 2014 17:24:16 -0500 (EST)
Message-ID: <52F01716.2040304@sugarcrm.com>
Date: Mon, 03 Feb 2014 14:24:22 -0800
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
CC: "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXbFk3+ScywpkeGcFUcmVvxLRHeWrdObvOshx6NjuB2YHw@mail.gmail.com> <52EDBB30.3070209@ajf.me> <CAGa2bXYMPM2+HinAANcDv2gvGNtfPHYFcKr=qrmXrsRPEbsiog@mail.gmail.com> <52EE1C2B.7030702@sugarcrm.com> <CAGa2bXYJAz8jMRmL4d9uHvspzg12km=ZosBtvqwywwc1wzmVuw@mail.gmail.com> <52EF50B6.1030404@sugarcrm.com> <CAGa2bXakB1YY4kxJc87m2tzjDjLGkw93QV2WfiN+9XAGUYxQ-A@mail.gmail.com> <52F014C3.4060007@sugarcrm.com> <CAGa2bXbV-dzCRq7uoyjme9_ufyK-cqAGzMTOw98JpBoVRCe0hA@mail.gmail.com>
In-Reply-To: <CAGa2bXbV-dzCRq7uoyjme9_ufyK-cqAGzMTOw98JpBoVRCe0hA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC] Improve HTML escape
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

> I've already written the URL to OWASP.
> 
> PCI DSS v3 states in section 6.5
> 
> Develop applications based on secure coding guidelines. 

Secure coding guidelines in this case is to not use htmlentities in this
context. If you already violate this requirement, why would you expect
PHP to un-violate it for you?

-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227