Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72153
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 84206 invoked from network); 3 Feb 2014 22:38:34 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 22:38:34 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.170 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.170 mail-lb0-f170.google.com  
Received: from [209.85.217.170] ([209.85.217.170:43788] helo=mail-lb0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D7/0E-35654-86A10F25 for <internals@lists.php.net>; Mon, 03 Feb 2014 17:38:33 -0500
Received: by mail-lb0-f170.google.com with SMTP id u14so5866671lbd.15
        for <internals@lists.php.net>; Mon, 03 Feb 2014 14:38:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=HCVGWRpxS1UCSn5nd7MFZ/XYkoAgv4YyYb5E1vKw7kI=;
        b=i8EUAY52ID73GF7RNRhK1OHafMeOlYSyecK0tJ/Sgxxm6Y0ewMAsOTFDWMkVOgyNyP
         MW50Us9g+UDnCzTVygRAhDDh5tP1mEnB3OujzXIkPj33O0/sfg9xGst5BdZSr2oq2WQh
         z2zZEL9tZGzVKiTY9uIqjhmWptyVvgdIEyfgQLBn9564tQGKzRJOYLv/LqOiumZpTE2e
         HWp/cV2YA72DKOz9rDwUKxLlma2QcogzKfpZUe2FrqT5z95NKJCacEfbr5nt/QWdgfsc
         rlkEhwevYRP3+0b+84nu8zh6jWrl4cnbVHXSmDYqUTR24gDmjLe0+NDERqaqM702ucwL
         1hoQ==
X-Received: by 10.112.33.108 with SMTP id q12mr1354794lbi.8.1391467110043;
 Mon, 03 Feb 2014 14:38:30 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Mon, 3 Feb 2014 14:37:49 -0800 (PST)
In-Reply-To: <CALwr1GnvjV7SKmuebx1DFzN-z1PVMM1jjDdvUEjVMV4159DzsQ@mail.gmail.com>
References: <CAGa2bXbFk3+ScywpkeGcFUcmVvxLRHeWrdObvOshx6NjuB2YHw@mail.gmail.com>
 <52EDBB30.3070209@ajf.me> <CAGa2bXYMPM2+HinAANcDv2gvGNtfPHYFcKr=qrmXrsRPEbsiog@mail.gmail.com>
 <52EE1C2B.7030702@sugarcrm.com> <CAGa2bXYJAz8jMRmL4d9uHvspzg12km=ZosBtvqwywwc1wzmVuw@mail.gmail.com>
 <52EF50B6.1030404@sugarcrm.com> <CAGa2bXakB1YY4kxJc87m2tzjDjLGkw93QV2WfiN+9XAGUYxQ-A@mail.gmail.com>
 <52F014C3.4060007@sugarcrm.com> <CALwr1GnvjV7SKmuebx1DFzN-z1PVMM1jjDdvUEjVMV4159DzsQ@mail.gmail.com>
Date: Tue, 4 Feb 2014 07:37:49 +0900
X-Google-Sender-Auth: X4DOKkWyo73B9s6d6m1QIaVVF3o
Message-ID: <CAGa2bXaXgT+TBjnqkHhT0xNxymTDHOWECAAdMbXWpbPiAs1k0A@mail.gmail.com>
To: =?UTF-8?Q?P=C3=A1draic_Brady?= <padraic.brady@gmail.com>
Cc: Stas Malyshev <smalyshev@sugarcrm.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=14dae947362fcf96b704f1882ead
Subject: Re: [PHP-DEV] [RFC] Improve HTML escape
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--14dae947362fcf96b704f1882ead
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Padraic,

On Tue, Feb 4, 2014 at 7:31 AM, P=C3=A1draic Brady <padraic.brady@gmail.com=
>wrote:

> While I'm dubious about forward slash escaping myself and think it
> might have been OWASP veering into overkill,
>

Yes they are. They are very conservative to security.
For example, they suggest to escape almost all char by applying
HEX escape for JavaScript string literals.

It may be too much, but I'm sure it's more secure.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--14dae947362fcf96b704f1882ead--