Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:81190 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 77685 invoked from network); 27 Jan 2015 02:07:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Jan 2015 02:07:07 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.176 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.216.176 mail-qc0-f176.google.com Received: from [209.85.216.176] ([209.85.216.176:42594] helo=mail-qc0-f176.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 94/69-25415-9C2F6C45 for ; Mon, 26 Jan 2015 21:07:06 -0500 Received: by mail-qc0-f176.google.com with SMTP id c9so10120954qcz.7 for ; Mon, 26 Jan 2015 18:07:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to:content-type; bh=lG/hqeXif4vKRhppJGO03YpL22ffrOiQh1JbHgBQ64E=; b=H/FNaHm7cwMHFl/0fVsE9G26steW0VN2lHvFKsy4mbp5iJTb2tPk1f6XEEYepp6Hwg ibHin3TNnERcWmr+P9CzDleMihQWEC2UYTJy0l/bNxhmyqND4pl7BByxWdStY2n5N4/v 0oTg9jV10146hs97mkxzMV6pWwsWcyQqeUZEr6gHRj7XXrTgTNKCxhA8j1bUBGWjaMtg AW8ILDtDn8CTVGl3Gd+Q39+iU/Fq3Lx/XTN+/2HkR5tmB8DnpDsizSdFLTCouFfsFDvm mvoD4pwU9lLsU57IRanOH14MVabTtFLQe/y2DlsUysBY5O109ba7MZkviP17sh4f1qUQ mgEg== X-Received: by 10.229.192.5 with SMTP id do5mr3320736qcb.12.1422324423213; Mon, 26 Jan 2015 18:07:03 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.93.70 with HTTP; Mon, 26 Jan 2015 18:06:23 -0800 (PST) Date: Tue, 27 Jan 2015 11:06:23 +0900 X-Google-Sender-Auth: yFB8XxwbeWgxLbDNkbIBlKwp-64 Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11337bfc0048ed050d98b6cc Subject: Discussion for RFC: Set appropriate/better defaults. From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11337bfc0048ed050d98b6cc Content-Type: text/plain; charset=UTF-8 Hi all, I would like to write RFC that sets appropriate/better defaults by default. For example, htmlspecialchars has following definition now. string htmlspecialchars ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool $double_encode = true ]]] ) http://php.net/htmlspecialchars Besides HTML5 allows non-quoted attributes, $flag default is better to be "ENT_QUOTES | ENT_HTML401" as HTML5 accepts both " and ' as quote chars. Another example is http_build_query(). It should escape ' ' as '%20' by default, not '+'. Followings are quick list that I think of. ===php.ini=== - session.use_strict_mode=On : Enable strict session ID validation by default - session.serializer=php_serialize : Use plain PHP's serialize than 'php' which is made for register_globals=On. - session.hash_function=1 : Use SHA1 rather than MD5 - session.http_only=On : Session ID should not be able to be accessed from JS for security reasons. - opcache.enable=1 ===functions=== - session_set_cookie_params() BEFORE void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] ) AFTER void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = TRUE ]]]] ) Note: session_destory()/session_regenerate_id() should set destory flag to TRUE, but I'll address this issue on different RFC. - htmlspecialchars() BEFORE string htmlspecialchars ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool $double_encode = true ]]] ) AFTER string htmlspecialchars ( string $string [, int $flags = ENT_QUOTES | ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool $double_encode = true ]]] ) - htmlentities() BEFORE string htmlentities ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool $double_encode = true ]]] ) AFTER string htmlentities ( string $string [, int $flags = ENT_QUOTES | ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool $double_encode = true ]]] ) - htmlspecialchars_decode() BEFORE string htmlspecialchars_decode ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 ] ) AFTER string htmlspecialchars_decode ( string $string [, int $flags = ENT_QUOTES | ENT_HTML401 ] ) - html_entities_decode() BEFORE string html_entity_decode ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = ini_get("default_charset") ]] ) AFTER string html_entity_decode ( string $string [, int $flags = ENT_QUOTES | ENT_HTML401 [, string $encoding = ini_get("default_charset") ]] ) - http_build_query() BEFORE string http_build_query ( mixed $query_data [, string $numeric_prefix [, string $arg_separator [, int $enc_type = PHP_QUERY_RFC1738 ]]] ) AFTER string http_build_query ( mixed $query_data [, string $numeric_prefix [, string $arg_separator [, int $enc_type = PHP_QUERY_RFC3986 ]]] ) - json_encode() BEFORE string json_encode ( mixed $value [, int $options = 0 [, int $depth = 512 ]] ) AFTER string json_encode ( mixed $value [, int $options = JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT [, int $depth = 512 ]] ) Note: These options provide safety when JSON is embedded into HTML/JavaScript context. - uniq_id() BEFORE string uniqid ([ string $prefix = "" [, bool $more_entropy = false ]] ) AFTER string uniqid ([ string $prefix = "" [, bool $more_entropy = TRUE ]] ) There may be others. Please add them if there are any obsolete/unreasonable/insecure defaults. Any comments? Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11337bfc0048ed050d98b6cc--