[PHP-DEV] ENT_COMPAT for htmlentities and htmlspecialchars

Sat, 26 Dec 2020 03:03:05 -0800 

Hi,

Could htmlspecialchars() use ENT_QUOTES by default?

I recently worked on an example script, where I tried to keep it simple by
using htmlspecialchars directly, e.g.

    echo "<img src='" . htmlspecialchars($url) . "'>";

I'd completely forgotten that single quotes are not escaped by default,
creating a XSS vulnerability, e.g.

    $url = "/' onerror='alert(1)";

All the common frameworks I could find use ENT_QUOTES to do this safely
(details below).

Christoph (cmb69) suggests this was done for HTML4 compatibility, with
older versions of PHP possibly having issues with numeric character
references (a quick search suggests PHP 5.4?).

PHP uses the numeric version &#039; with ENT_QUOTES, and it should continue
to do so - because the named version, &apos; was added in HTML5, but can
still cause problems with legacy parsers; for example Android 4, and the
one still in use by Microsoft Outlook (&amp;/&gt;/&lt; was in the
original HTML spec, and &quot; was added in HTML2).

I'd also be tempted to suggest ENT_SUBSTITUTE should be included, as I
prefer to keep as much of the valid data (rather than losing everything),
but that's not as important as escaping the apostrophe by default.

Craig




WordPress uses ENT_QUOTES (ish).

https://developer.wordpress.org/reference/functions/esc_html/

Laravel, with Blade, uses ENT_QUOTES:

https://github.com/illuminate/support/blob/master/helpers.php#L118

Symfony or Slim, with Twig, uses ENT_QUOTES | ENT_SUBSTITUTE:

https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L243

CodeIgniter uses ENT_QUOTES | ENT_SUBSTITUTE:

https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/ThirdParty/Escaper/Escaper.php#L120

CakePHP uses ENT_QUOTES | ENT_SUBSTITUTE:

https://github.com/cakephp/cakephp/blob/master/src/Core/functions.php#L67

YII uses ENT_QUOTES | ENT_SUBSTITUTE:

https://github.com/yiisoft/yii2/blob/master/framework/helpers/BaseHtml.php#L111

Phalcon uses ENT_QUOTES:

https://github.com/phalcon/phalcon/blob/v5.0.x/src/Html/Escaper.php#L78

FuelPHP uses ENT_QUOTES:

https://github.com/fuel/core/blob/1.9/develop/config/config.php#L459

Reply via email to