Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94134 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 66417 invoked from network); 19 Jun 2016 18:42:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Jun 2016 18:42:22 -0000 Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.17.21 as permitted sender) X-PHP-List-Original-Sender: cmbecker69@gmx.de X-Host-Fingerprint: 212.227.17.21 mout.gmx.net Received: from [212.227.17.21] ([212.227.17.21:64815] helo=mout.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D7/53-18862-B87E6675 for ; Sun, 19 Jun 2016 14:42:21 -0400 Received: from [192.168.2.102] ([217.82.228.97]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MEWxh-1bClkF010r-00FgRH; Sun, 19 Jun 2016 20:42:14 +0200 To: Scott Arciszewski , Lester Caine References: <20160617202344.2868F1A80C02@dd1730.kasserver.com> <57665E36.60302@lsces.co.uk> <5766D311.6030503@lsces.co.uk> Cc: PHP Internals Message-ID: <4f4d3ef5-5cf8-cf61-d9f4-598c9c51522b@gmx.de> Date: Sun, 19 Jun 2016 20:42:39 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:UIVCj7Lubv2i5abqX+17mPg8Ijbzr0zc93vL6poeU8n3TBQayxd xvwS9IsALsvgmURUQMchdsTWCDOz7HvB6YboWEZQGKpWTZ8sq7OngUkVQSP010CmVS0XsAZ EkU8RzWHKmZsCxl6I/W4FUaMV+C6EP3W98W0Uym9T7swXub2UnQ9yJT/WKgnt2vSNPm8GAf l8hIFQTMYZq0S8HBt+28g== X-UI-Out-Filterresults: notjunk:1;V01:K0:95ASJtTaldg=:uiwHReFuVEfaDTOpwCPTOU 3OAzcrPNY4V+83NXJCL5e4dkWvfGdR+yuwJ09b1pd6/Rwk7oENKbbhhXn9qNJF2uqPQofFcdf HNnawdT410HHXV5q4n4zqf38TAVWEgcElUeRThEHcz78vZRHjzrq6IDXrg8QxgYG5MWIrfT/A EN10O4orotN1GwihKY+rnyZqcGdQIH5uCKjkLxHoWK+FWHHp3FYnaOfp2RV0o7WOwWWQs//ei N3DDEQETVUnOikDrTy3EFXw9dQcfIcysYKsXSbn6nWg2Xn29GCRGClkYskvH5kJ5iNER7i22V YesYAO4+auC/pTLnBC5zf8w4kSTtdXECPKPAeQJtFve8PT3n6+USfXxUecxI03W+fi3ygwVsF iQIqRlYoHKPDCnAtldnbFcNwUft0OddKLh5QC1aWn5XacbhXCW0TKw5ppv7GXsaod0OVTblwK w3HtsrupUich4POUZx9RHDBpIxwj6KVZFY5/KsMIwZ8ztUEzYWo1A7YeCArXlCpeD6qccw9aP kY36skyDXM52PwC5afsArGaUFEZEJOBjue4K1kxGKIi4ad+iWJGrBGYkZ8LhWetwrhLDuqC8H /XHfDSJSybROk/zTlQrJdDb8iWWOWut3Oajy3NElXvm/I2PXuVCgiO4XLZfP96atRGvboAOqV LALv34NT7H4xVRHyDNiL3+eZxYm6HhYtU133PlCqe2dbuhEj1HD5dLE2WtEBxYJ/JS+DKX2dP I0om1jyphnIyUoGZxZFz1EUbqcvg5DBgVcWembQOUFAkjP2MNyqpAqHwIR0ju+cktLTG7Az8N k0+pl6K Subject: Re: [PHP-DEV] New escaped output operator From: cmbecker69@gmx.de (Christoph Becker) On 19.06.2016 at 19:28, Scott Arciszewski wrote: > Further reading: > https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know Thanks! Minor issue: | If you failed to specify ENT_QUOTES and attacker simply needs to pass | " onload="malicious javascript code as a value to that form field and | presto, instant client-side code execution. That's not correct, unless ENT_NOQUOTES would have been specified. The default of htmlspecialchars() is to escape double-quotes, but to leave single-quotes alone. -- Christoph M. Becker