Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72233 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 2729 invoked from network); 5 Feb 2014 02:11:24 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Feb 2014 02:11:24 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.173 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.173 mail-lb0-f173.google.com Received: from [209.85.217.173] ([209.85.217.173:47078] helo=mail-lb0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 3C/F2-12415-ACD91F25 for ; Tue, 04 Feb 2014 21:11:23 -0500 Received: by mail-lb0-f173.google.com with SMTP id y6so7029910lbh.4 for ; Tue, 04 Feb 2014 18:11:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=fubOHhP4v2VRlOfKUcF+xMDundtOp9RbmF6osKnaRyo=; b=uiPD52CSlAW4MFwsXWAPOu2q55GMUjK3+A6/vVQikQFfLQIfPmw+ND/vyGrcCIYfI/ sEqTEJbiJ7GQrg5mVtJ5MGqPaj1nos51o6qr12UBGqt8u0opAjBHukGnB174hpyjZv2C 7Gjj//RFEI05DHl9urXcqtiqZV8c4pzKc3rKwyGgyXWz8YWxZs14cLaquNPjoGJB61af DUHLs+cNJiJx67bO5UtEu88OVZGAtjycic7JDfMj6NSL/35L7dL+lQESpZRF372h0o3A YOjTq/70zf35/e25zGbRYyqF+e/M/o4RYZr1Vd0TUxyuECzIq7RiPVGy5DQAP/dnxNvr hYJA== X-Received: by 10.152.143.231 with SMTP id sh7mr20196383lab.26.1391566279792; Tue, 04 Feb 2014 18:11:19 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Tue, 4 Feb 2014 18:10:39 -0800 (PST) In-Reply-To: References: <52F10DE9.3040504@ajf.me> Date: Wed, 5 Feb 2014 11:10:39 +0900 X-Google-Sender-Auth: l_-TjjJDq_yiDr5k8XRfUhlZh-M Message-ID: To: =?UTF-8?Q?P=C3=A1draic_Brady?= Cc: Andrea Faulds , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1136c098c9dc5604f19f45d9 Subject: Re: [PHP-DEV] [RFC] Improve HTML escape From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1136c098c9dc5604f19f45d9 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Padraic, On Wed, Feb 5, 2014 at 6:22 AM, P=C3=A1draic Brady wrote: > Doing a bit of due diligence, the reason the forward slash was added > was to prevent any possibility of someone introducing a Javascript > comment into an attribute. It's very sketchy, but the theory is that > since html escaping won't escape /, using html escaping on a > javascript attribute like onmouseover might allow the browser to > interpret a comment, disregard the terminating quotes of an attribute, > and then inject HTML. Personally, it seems a bit garbled - user input > in a Javascript attribute should be escaped as a Javascript string > literal with no input injected as actual Javascript code - so it would > require both a severe browser parsing issue AND a lack of proper > contextual escaping. > It depends on how HTML parser parse HTML. If parser aware the "/*" as JS comment, then it can be attacked. '/' escape would prevent malicious code to attack when user has sloppy validation and/or filter. (HTML parser should parse HTML document as HTML at first and should not recognize JS elements and/or anything else, but who knows every parser out there is implemented correctly) I've added deprecation of ENT_COMPAT/ENT_QUOTES to the RFC. Is it ready to vote? No more issues to discuss? Anyone? Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1136c098c9dc5604f19f45d9--