Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72156 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 89900 invoked from network); 3 Feb 2014 23:19:18 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 23:19:18 -0000 Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.204 cause and error) X-PHP-List-Original-Sender: lester@lsces.co.uk X-Host-Fingerprint: 217.147.176.204 mail4.serversure.net Linux 2.6 Received: from [217.147.176.204] ([217.147.176.204:35183] helo=mail4.serversure.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 62/2F-35654-4F320F25 for ; Mon, 03 Feb 2014 18:19:17 -0500 Received: (qmail 16937 invoked by uid 89); 3 Feb 2014 23:19:14 -0000 Received: by simscan 1.3.1 ppid: 16931, pid: 16934, t: 0.0770s scanners: attach: 1.3.1 clamav: 0.96/m:52 Received: from unknown (HELO linux-dev4.lsces.org.uk) (lester@rainbowdigitalmedia.org.uk@81.138.11.136) by mail4.serversure.net with ESMTPA; 3 Feb 2014 23:19:13 -0000 Message-ID: <52F02499.3000004@lsces.co.uk> Date: Mon, 03 Feb 2014 23:22:01 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 SeaMonkey/2.23 MIME-Version: 1.0 To: PHP internals References: <52EDBB30.3070209@ajf.me> <52EE1C2B.7030702@sugarcrm.com> <52EF50B6.1030404@sugarcrm.com> <52F014C3.4060007@sugarcrm.com> <52F01716.2040304@sugarcrm.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC] Improve HTML escape From: lester@lsces.co.uk (Lester Caine) Yasuo Ohgaki wrote: > I'm lost here. > OWASP suggests to escape at least > > & --> & > < --> < > > --> > > " --> " > ' --> ' ' not recommended because its not in the HTML spec > (See: section 24.4.1) ' is in the XML and XHTML specs. > / --> / forward slash is included as it helps end an HTML entity > > https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content > > I'm not sure why you state "already violate this requirement". It may be that what you are asking for is a flag on htmlentities for 'OWASP' compliant option. Others would probably view that as not then being html5 compliant since html5 has it's own list of 'escaped' characters. One of the irritating things I find is 'unescaping' a string does not return the original string simply because the html5 rule has not been followed! A clean html5 result should be the default. Looking at the Rule 2 from the OWASP they are actually asking for every character below 256 to be escaped when used in an attribute! But the important thing here is 'untrusted' data, and sanitising any externally supplied data needs a little more care than simply trying to wrap it in htmlentities which I think is what Stas is saying? Personally I try to avoid any path where input can be processed direct back to output, filter the input, don't simply try and patch the output? -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk