Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72200
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 99939 invoked from network); 4 Feb 2014 15:15:50 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Feb 2014 15:15:50 -0000
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.176 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.160.176 mail-yk0-f176.google.com  
Received: from [209.85.160.176] ([209.85.160.176:41754] helo=mail-yk0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 21/13-17725-52401F25 for <internals@lists.php.net>; Tue, 04 Feb 2014 10:15:49 -0500
Received: by mail-yk0-f176.google.com with SMTP id 131so22889769ykp.7
        for <internals@lists.php.net>; Tue, 04 Feb 2014 07:15:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=QDQfgL0r5+88Up8zYTHW/L6n8YBNjWf+qorD+pIhEe8=;
        b=xNNepgXKbca2oxiNK4TF10R4SqYvmNsWw/1eInsrl6wCZv5AFj23dwciMLxZVBP8o0
         UXue7Xc3CuBmm/gkWrDEZF2kBR+vNH5c0e34BTazNBCUXaQ7wYvkxP7JQJwrKPbRDlbb
         dBr+TFg9Y0Mg0n626zW8CXxjkKSrq7IjGDm72qbw5jWIvrLSTLHfanfkF3ejeLBy7IrP
         u79ceC9p978DABrBY0u5i5XdOkCz8G+s/J0aC1ruiq1nF5eQldWWgByFodE+GXs7l2Ro
         T537n3U2L/K29RJroYGf8r491S5xbw020Uzu3Mh131A2UwN/lOYoQ179MBi4TTXeBie0
         gntA==
MIME-Version: 1.0
X-Received: by 10.236.31.138 with SMTP id m10mr11555748yha.55.1391526946023;
 Tue, 04 Feb 2014 07:15:46 -0800 (PST)
Received: by 10.170.215.130 with HTTP; Tue, 4 Feb 2014 07:15:45 -0800 (PST)
In-Reply-To: <52F0FEE8.5010302@gmail.com>
References: <CAGa2bXbFk3+ScywpkeGcFUcmVvxLRHeWrdObvOshx6NjuB2YHw@mail.gmail.com>
	<52EDBB30.3070209@ajf.me>
	<CAGa2bXYMPM2+HinAANcDv2gvGNtfPHYFcKr=qrmXrsRPEbsiog@mail.gmail.com>
	<52EE1C2B.7030702@sugarcrm.com>
	<CAGa2bXYJAz8jMRmL4d9uHvspzg12km=ZosBtvqwywwc1wzmVuw@mail.gmail.com>
	<52EF50B6.1030404@sugarcrm.com>
	<CALwr1Gn95__kSkJfhseemSN=kugeymeW0-sT4yPC9_XBZp4VJg@mail.gmail.com>
	<CAGa2bXakngpviwqvbSKnMOtKMMtfwR5ZCfUx+4EDATv-2QqiwA@mail.gmail.com>
	<52F01654.6080903@sugarcrm.com>
	<CAGa2bXYkFPoUFgLT3DJr_Hq5yJjjJChXRn3hu-5q9hKndDsmpw@mail.gmail.com>
	<52F0FEE8.5010302@gmail.com>
Date: Tue, 4 Feb 2014 15:15:45 +0000
Message-ID: <CALwr1GnzhMfVH5_xDJDnfCofmB=CMhpn=5s938GrBKB0yMP03A@mail.gmail.com>
To: Rowan Collins <rowan.collins@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [RFC] Improve HTML escape
From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=)

Hi Rowan,

On 4 February 2014 14:53, Rowan Collins <rowan.collins@gmail.com> wrote:
> I think part of the misunderstanding here is the distinction between "sho=
uld
> PHP support an appropriate escape mechanism for this situation?" and "sho=
uld
> the htmlentities() function be extended to be the appropriate escape
> mechanism for this situation?"
>
> The security requirement is for *users* to use appropriate escaping, and
> quoting, mechanisms for the output formats they use. The combination of
> quoted attributes and htmlspecialchars() with ENT_QUOTES is a secure
> escaping method, provided by the core of PHP.
>
> HTML5 *allows* users to use non-quoted attributes, but PHP does not
> currently have a built-in function which provides adequate escaping for t=
hat
> scenario. Such a function would need to do more than just escaping /, as
> others have pointed out; for instance, it would need to either escape,
> filter, or reject all forms of whitespace.
>
> I have no real opinion on what that function should be, except that I wil=
l
> personally never use it, because I will simply put quotes around my
> attributes and remove any need for it.

That's what we should be doing. Part of the concern with having a full
on unquoted attribute value escaping mechanism is what happens over
the course of an application's lifecycle. I'm absolutely of your
opinion, but others would argue that attribute escaping is defence in
depth against the day someone removes quotes without thinking. HTML5
has made that side of the fence more relevant.

If it were to be done, it would be a separate function other than
htmlspecialchars() which I assume is why htmlentities() as the local
greedy escaper makes an attractive carrier at face value. I don't
actually think it does fit there without redefining its purpose so a
separate function would be wiser.

Paddy

--
P=C3=A1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative