Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72199 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 97719 invoked from network); 4 Feb 2014 14:53:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Feb 2014 14:53:34 -0000 Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.173 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 74.125.82.173 mail-we0-f173.google.com Received: from [74.125.82.173] ([74.125.82.173:38916] helo=mail-we0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 3A/A2-17725-EEEF0F25 for ; Tue, 04 Feb 2014 09:53:34 -0500 Received: by mail-we0-f173.google.com with SMTP id x55so4179529wes.4 for ; Tue, 04 Feb 2014 06:53:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=z5hYvnY1uBYCLPqSUf+lq6XJb/K+whX+uRhI7yAPb1o=; b=HU5cZ1Y8vlgtF60zOL2Bf/4PpXzxqk12e28ZJpikDPqm89EW1PRDzN/Q/Tt9JZuq+2 O4Tyl2WTJaRnnsvymOWz0e7LrfJevCFdBhh7enrziEp7eNg9vjqg2VRW8uB1x6zbgLgn DmbFLdmQ+l0hGs5oeJNaqmTHV9SF6NIL4WainITpp2abf7Rpe2g/cMWS5oUyRjzmrvjG CTyeLdbPnkzhQvArnibxApEGsLX4nKfc+fFiI8DKWKkmYibhn+L7FyR9vg03cJJtWsp8 cok9U2qwZgR3InEIsN7tpqapCnsUY4u64ZcReK04NBAgomPkAYDdeN4xj7JDPY2AMv1F +TOA== X-Received: by 10.180.91.164 with SMTP id cf4mr6288532wib.37.1391525611253; Tue, 04 Feb 2014 06:53:31 -0800 (PST) Received: from [192.168.0.137] ([62.189.198.114]) by mx.google.com with ESMTPSA id ff7sm2551620wic.10.2014.02.04.06.53.29 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 04 Feb 2014 06:53:30 -0800 (PST) Message-ID: <52F0FEE8.5010302@gmail.com> Date: Tue, 04 Feb 2014 14:53:28 +0000 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: internals@lists.php.net References: <52EDBB30.3070209@ajf.me> <52EE1C2B.7030702@sugarcrm.com> <52EF50B6.1030404@sugarcrm.com> <52F01654.6080903@sugarcrm.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC] Improve HTML escape From: rowan.collins@gmail.com (Rowan Collins) Yasuo Ohgaki wrote (on 03/02/2014): > On Tue, Feb 4, 2014 at 7:21 AM, Stas Malyshev wrote: > >> Nowhere in any standard it says we must use htmlentities to support >> every possible context. > > We may or may not support unquoted attributes. > I think it's really dangerous, therefore we my not support it ;) > It may be good for PHP to declare "We support HTML5!", though. I think part of the misunderstanding here is the distinction between "should PHP support an appropriate escape mechanism for this situation?" and "should the htmlentities() function be extended to be the appropriate escape mechanism for this situation?" The security requirement is for *users* to use appropriate escaping, and quoting, mechanisms for the output formats they use. The combination of quoted attributes and htmlspecialchars() with ENT_QUOTES is a secure escaping method, provided by the core of PHP. HTML5 *allows* users to use non-quoted attributes, but PHP does not currently have a built-in function which provides adequate escaping for that scenario. Such a function would need to do more than just escaping /, as others have pointed out; for instance, it would need to either escape, filter, or reject all forms of whitespace. I have no real opinion on what that function should be, except that I will personally never use it, because I will simply put quotes around my attributes and remove any need for it. Regards, Rowan Collins [IMSoP]