Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72172
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 27542 invoked from network); 4 Feb 2014 05:47:21 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Feb 2014 05:47:21 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.53 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.53 mail-la0-f53.google.com  
Received: from [209.85.215.53] ([209.85.215.53:54408] helo=mail-la0-f53.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 84/23-09069-7EE70F25 for <internals@lists.php.net>; Tue, 04 Feb 2014 00:47:20 -0500
Received: by mail-la0-f53.google.com with SMTP id e16so6050002lan.40
        for <internals@lists.php.net>; Mon, 03 Feb 2014 21:47:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=wkhuqTU4DRNEHnelBurlw40BjSYb4C4DXp4Glds7d5k=;
        b=Ca4PbU2o7E4w4ESB3s9fQrXZsUbt1sWAnJy0pGDtQ08KsaLhNW3yOByyH3hiza1XkZ
         AY+LJpP1V6T/oE87lF654wqAakaic5Z4hawBWwMKsqqKDzD1PmgnhN/gEsV/EX3QHiX9
         6/7Y3ElHbT55WcLL+d41eH8PY6AftIqT92eYEjBa6SaAQSLoO5G5nKh5NcFMmK7A4Yqx
         pcVwZllU77dIG1/ZxELgFd0zUSFglQpiNsiC8KXUym2feJRRxJynXhvPtgwhiBFr1QNQ
         sJXO3kim2Dz7vFwFiy+5CJXH6Qa43nQdI0wilIVBLZm7wOwFQZ56j9hhYt/0/ktFrS6l
         wbYg==
X-Received: by 10.112.164.5 with SMTP id ym5mr172234lbb.48.1391492837115; Mon,
 03 Feb 2014 21:47:17 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Mon, 3 Feb 2014 21:46:35 -0800 (PST)
In-Reply-To: <52F02499.3000004@lsces.co.uk>
References: <CAGa2bXbFk3+ScywpkeGcFUcmVvxLRHeWrdObvOshx6NjuB2YHw@mail.gmail.com>
 <52EDBB30.3070209@ajf.me> <CAGa2bXYMPM2+HinAANcDv2gvGNtfPHYFcKr=qrmXrsRPEbsiog@mail.gmail.com>
 <52EE1C2B.7030702@sugarcrm.com> <CAGa2bXYJAz8jMRmL4d9uHvspzg12km=ZosBtvqwywwc1wzmVuw@mail.gmail.com>
 <52EF50B6.1030404@sugarcrm.com> <CAGa2bXakB1YY4kxJc87m2tzjDjLGkw93QV2WfiN+9XAGUYxQ-A@mail.gmail.com>
 <52F014C3.4060007@sugarcrm.com> <CAGa2bXbV-dzCRq7uoyjme9_ufyK-cqAGzMTOw98JpBoVRCe0hA@mail.gmail.com>
 <52F01716.2040304@sugarcrm.com> <CAGa2bXb6Dfqko98Z7=xYyUghCdg-7Lk3TE4BQL6_JCzvxsau8g@mail.gmail.com>
 <52F02499.3000004@lsces.co.uk>
Date: Tue, 4 Feb 2014 14:46:35 +0900
X-Google-Sender-Auth: -YnKEnlXYjW1201mByblrCZjoFM
Message-ID: <CAGa2bXY8M+gwkpsy+YKdH9KqPfVSKVdGa=E+Q+Mc+n1uQvrvYQ@mail.gmail.com>
To: Lester Caine <lester@lsces.co.uk>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c26818438c9104f18e2c61
Subject: Re: [PHP-DEV] [RFC] Improve HTML escape
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c26818438c9104f18e2c61
Content-Type: text/plain; charset=UTF-8

Hi Lester,

On Tue, Feb 4, 2014 at 8:22 AM, Lester Caine <lester@lsces.co.uk> wrote:

> Yasuo Ohgaki wrote:
>
>> I'm lost here.
>> OWASP suggests to escape at least
>>
>>   & --> &amp;
>>   < --> &lt;
>>   > --> &gt;
>>   " --> &quot;
>>   ' --> &#x27;     &apos; not recommended because its not in the HTML spec
>> (See: section 24.4.1) &apos; is in the XML and XHTML specs.
>>   / --> &#x2F;     forward slash is included as it helps end an HTML
>> entity
>>
>> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)
>> _Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_
>> Inserting_Untrusted_Data_into_HTML_Element_Content
>>
>> I'm not sure why you state "already violate this requirement".
>>
>
> It may be that what you are asking for is a flag on htmlentities for
> 'OWASP' compliant option. Others would probably view that as not then being
> html5 compliant since html5 has it's own list of 'escaped' characters. One
> of the irritating things I find is 'unescaping' a string does not return
> the original string simply because the html5 rule has not been followed! A
> clean html5 result should be the default.
>
> Looking at the Rule 2 from the OWASP they are actually asking for every
> character below 256 to be escaped when used in an attribute! But the
> important thing here is 'untrusted' data, and sanitising any externally
> supplied data needs a little more care than simply trying to wrap it in
> htmlentities which I think is what Stas is saying? Personally I try to
> avoid any path where input can be processed direct back to output, filter
> the input, don't simply try and patch the output?


I suggests "Validate *all* inputs if they meet spec" and "Escape/Use secure
and proper API".
Currently PHP lacks these APIs. JavaScript literal escape is one of them.
As you can see in
my blog, escaping is not a simple task to do. There should be APIs for it.

I'm willing to address this issue and there is a RFC for it already.

https://wiki.php.net/rfc/escaper

I just don't have time for it :)

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c26818438c9104f18e2c61--