Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72150
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79696 invoked from network); 3 Feb 2014 22:31:17 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 22:31:17 -0000
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.171 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.160.171 mail-yk0-f171.google.com  
Received: from [209.85.160.171] ([209.85.160.171:44527] helo=mail-yk0-f171.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BC/FC-35654-5B810F25 for <internals@lists.php.net>; Mon, 03 Feb 2014 17:31:17 -0500
Received: by mail-yk0-f171.google.com with SMTP id 142so42605706ykq.2
        for <internals@lists.php.net>; Mon, 03 Feb 2014 14:31:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=dnrutoDePBAEerJ0cQOBin+a+6AQTjiDiq4yvYghRgs=;
        b=bNdbpYwrz4RPEBb8W2/dYNBclT5MhyLVV513cQHKPaDy9fbGvTlw6g/8o182t45ux6
         8EVDt4YZef6t8KOSiAB4NX/wmhXkwMR8rYtXr4sb7GQBdOcHMfnrn6Com9iuM5/bGU5t
         qInkr057AvKbL8CBTVOvG4fwT1VdzmbdqFcd4FygwQKLcm5dPQ4ZEtBdcyGByHDk4PA5
         92GH3lDB/ylkO5vADAaGuZT2SzZrN/Vtlh8G8aOw+4WY63XWm4/WN5uKTJya9kUQ538B
         9M9xgOpNapSMOUNr1f6EoiNU9fkEyZYW0K67B/btMzs5dkrbNx6YT/mMauVr4Z8DFkNE
         4w1g==
MIME-Version: 1.0
X-Received: by 10.236.127.39 with SMTP id c27mr2624318yhi.120.1391466674850;
 Mon, 03 Feb 2014 14:31:14 -0800 (PST)
Received: by 10.170.215.130 with HTTP; Mon, 3 Feb 2014 14:31:14 -0800 (PST)
In-Reply-To: <52F014C3.4060007@sugarcrm.com>
References: <CAGa2bXbFk3+ScywpkeGcFUcmVvxLRHeWrdObvOshx6NjuB2YHw@mail.gmail.com>
	<52EDBB30.3070209@ajf.me>
	<CAGa2bXYMPM2+HinAANcDv2gvGNtfPHYFcKr=qrmXrsRPEbsiog@mail.gmail.com>
	<52EE1C2B.7030702@sugarcrm.com>
	<CAGa2bXYJAz8jMRmL4d9uHvspzg12km=ZosBtvqwywwc1wzmVuw@mail.gmail.com>
	<52EF50B6.1030404@sugarcrm.com>
	<CAGa2bXakB1YY4kxJc87m2tzjDjLGkw93QV2WfiN+9XAGUYxQ-A@mail.gmail.com>
	<52F014C3.4060007@sugarcrm.com>
Date: Mon, 3 Feb 2014 22:31:14 +0000
Message-ID: <CALwr1GnvjV7SKmuebx1DFzN-z1PVMM1jjDdvUEjVMV4159DzsQ@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [RFC] Improve HTML escape
From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=)

Stas,

On 3 February 2014 22:14, Stas Malyshev <smalyshev@sugarcrm.com> wrote:
> Hi!
>
>> Some users has to confirm standard like PCI DSS.
>> PCI DSS requires to follow security standards and guidelines from OWASP,
>> SANS, etc.
>>
>> Why not make PHP standard compliant?
>> It does not hart existing applications at all and this is simple enough
>> change.
>
> I'm sorry, could you please quote me a standard that requires PHP to
> escape / in function called htmlentites? If there's no such standard,
> the argument of "but the standard requires it" is void. No standard can
> require you to use htmlentites where it should not be used. Putting
> stuff into language just because somebody in the internet mentioned in
> different context that it might be a good idea - is not. We should
> understand _why_ it is done and _why_ it is a good idea, especially when
> we're talking about security. In this case, the proposed use case should
> _never_ be used with htmlentities, due to obvious gaping security hole.
> Adding code to enable such scenario is just not right. Instead, we
> should tell people "Never ever do it. Ever.".

There is far too much going on here...

1. Bear in mind that htmlentities() and htmlspecialchars() are
equivalent for HTML special characters.
2. PCI DSS is a real standard that real people apply in real
applications. You can google it if you don't believe me. It's at
version 3.0.
3. PCI DSS specifically notes OWASP guides as a source of best
practice as part of Requirement 6 (which covers XSS among other
things).
4. The OWASP guide for XSS mentions escaping the forward slash.
5. We do not currently escape the forward slash.

While I'm dubious about forward slash escaping myself and think it
might have been OWASP veering into overkill, it doesn't change the
fact that Yasuo's argument is perfectly sound. Nor does it change the
state of single quote escaping which is very obvious out of sync with
best practice.

Ignoring all this is tantamount to telling people not to use
htmlspecialchars() or htmlentities() at all. As in, never! Which,
coincidentally, is almost the current best practice in PHP where we
wrap those functions for the sake of insulating ourselves from its
more colourful behaviours. Yep, the standard is not to use these
functions as-is. It would be nice to see them fixed or replaced, but
I'm not holding my breath.

Paddy

--
P=C3=A1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative