Re: [RFC] Improve HTML escape

From: Lester Caine Date: Mon, 03 Feb 2014 23:22:01 +0000

Subject: Re: [RFC] Improve HTML escape

References: 1 2 3 4 5 6 7 8 9 10 11 Groups: php.internals

Request: Send a blank email to internals+get-72156@lists.php.net to get a copy of this message

Yasuo Ohgaki wrote:
I'm lost here.
OWASP suggests to escape at least

  & --> &amp;
  < --> &lt;
--> &gt;
  " --> &quot;
  ' --> &#x27;     &apos; not recommended because its not in the HTML spec
(See: section 24.4.1) &apos; is in the XML and XHTML specs.
  / --> &#x2F;     forward slash is included as it helps end an HTML entity

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content

I'm not sure why you state "already violate this requirement".

It may be that what you are asking for is a flag on htmlentities for 'OWASP' compliant option. Others would probably view that as not then being html5 compliant since html5 has it's own list of 'escaped' characters. One of the irritating things I find is 'unescaping' a string does not return the original string simply because the html5 rule has not been followed! A clean html5 result should be the default.

Looking at the Rule 2 from the OWASP they are actually asking for every character below 256 to be escaped when used in an attribute! But the important thing here is 'untrusted' data, and sanitising any externally supplied data needs a little more care than simply trying to wrap it in htmlentities which I think is what Stas is saying? Personally I try to avoid any path where input can be processed direct back to output, filter the input, don't simply try and patch the output?

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

Thread (37 messages)

Yasuo OhgakiSun, 02 Feb 2014 03:09:43 +0000
Sara GolemonSun, 02 Feb 2014 03:15:00 +0000
Yasuo OhgakiSun, 02 Feb 2014 03:31:19 +0000
Sara GolemonSun, 02 Feb 2014 03:35:46 +0000
Pavel KouřilSun, 02 Feb 2014 09:38:22 +0000
Yasuo OhgakiSun, 02 Feb 2014 09:54:38 +0000
Stas MalyshevSun, 02 Feb 2014 10:19:03 +0000
Andrea FauldsSun, 02 Feb 2014 03:27:44 +0000
Yasuo OhgakiSun, 02 Feb 2014 03:33:37 +0000
Stas MalyshevSun, 02 Feb 2014 10:21:31 +0000
Rouven WeßlingSun, 02 Feb 2014 11:08:22 +0000
Pádraic BradySun, 02 Feb 2014 13:55:32 +0000
Rouven WeßlingSun, 02 Feb 2014 22:55:21 +0000
Yasuo OhgakiMon, 03 Feb 2014 01:43:48 +0000
Yasuo OhgakiMon, 03 Feb 2014 05:33:55 +0000
Stas MalyshevMon, 03 Feb 2014 08:17:58 +0000
Pádraic BradyMon, 03 Feb 2014 11:06:22 +0000
Yasuo OhgakiMon, 03 Feb 2014 22:15:31 +0000
Stas MalyshevMon, 03 Feb 2014 22:21:08 +0000
Yasuo OhgakiMon, 03 Feb 2014 22:26:47 +0000
Rowan CollinsTue, 04 Feb 2014 14:53:28 +0000
Pádraic BradyTue, 04 Feb 2014 15:15:45 +0000
Yasuo OhgakiMon, 03 Feb 2014 22:04:07 +0000
Stas MalyshevMon, 03 Feb 2014 22:14:27 +0000
Yasuo OhgakiMon, 03 Feb 2014 22:21:45 +0000
Stas MalyshevMon, 03 Feb 2014 22:24:22 +0000
Yasuo OhgakiMon, 03 Feb 2014 22:31:16 +0000
Lester CaineMon, 03 Feb 2014 23:22:01 +0000
Pádraic BradyTue, 04 Feb 2014 00:20:19 +0000
Yasuo OhgakiTue, 04 Feb 2014 05:46:35 +0000
Pádraic BradyMon, 03 Feb 2014 22:31:14 +0000
Yasuo OhgakiMon, 03 Feb 2014 22:37:49 +0000
Yasuo OhgakiMon, 03 Feb 2014 22:44:05 +0000
Andrea FauldsTue, 04 Feb 2014 15:57:29 +0000
Pádraic BradyTue, 04 Feb 2014 21:22:26 +0000
Yasuo OhgakiWed, 05 Feb 2014 02:10:39 +0000
Pádraic BradyWed, 05 Feb 2014 10:54:07 +0000

« previous	php.internals (#72156)	next »

From:	Lester Caine	Date:	Mon, 03 Feb 2014 23:22:01 +0000
Subject:	Re: [RFC] Improve HTML escape
References:	1 2 3 4 5 6 7 8 9 10 11	Groups:	php.internals
Request:	Send a blank email to internals+get-72156@lists.php.net to get a copy of this message