On Sat, Dec 26, 2020 at 12:03 PM Craig Francis <cr...@craigfrancis.co.uk> wrote:
> Hi, > > Could htmlspecialchars() use ENT_QUOTES by default? > > I recently worked on an example script, where I tried to keep it simple by > using htmlspecialchars directly, e.g. > > echo "<img src='" . htmlspecialchars($url) . "'>"; > > I'd completely forgotten that single quotes are not escaped by default, > creating a XSS vulnerability, e.g. > > $url = "/' onerror='alert(1)"; > > All the common frameworks I could find use ENT_QUOTES to do this safely > (details below). > > Christoph (cmb69) suggests this was done for HTML4 compatibility, with > older versions of PHP possibly having issues with numeric character > references (a quick search suggests PHP 5.4?). > > PHP uses the numeric version ' with ENT_QUOTES, and it should continue > to do so - because the named version, ' was added in HTML5, but can > still cause problems with legacy parsers; for example Android 4, and the > one still in use by Microsoft Outlook (&/>/< was in the > original HTML spec, and " was added in HTML2). > > I'd also be tempted to suggest ENT_SUBSTITUTE should be included, as I > prefer to keep as much of the valid data (rather than losing everything), > but that's not as important as escaping the apostrophe by default. > > Craig > > > > > WordPress uses ENT_QUOTES (ish). > > https://developer.wordpress.org/reference/functions/esc_html/ > > Laravel, with Blade, uses ENT_QUOTES: > > https://github.com/illuminate/support/blob/master/helpers.php#L118 > > Symfony or Slim, with Twig, uses ENT_QUOTES | ENT_SUBSTITUTE: > > > https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L243 > > CodeIgniter uses ENT_QUOTES | ENT_SUBSTITUTE: > > > https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/ThirdParty/Escaper/Escaper.php#L120 > > CakePHP uses ENT_QUOTES | ENT_SUBSTITUTE: > > https://github.com/cakephp/cakephp/blob/master/src/Core/functions.php#L67 > > YII uses ENT_QUOTES | ENT_SUBSTITUTE: > > > https://github.com/yiisoft/yii2/blob/master/framework/helpers/BaseHtml.php#L111 > > Phalcon uses ENT_QUOTES: > > https://github.com/phalcon/phalcon/blob/v5.0.x/src/Html/Escaper.php#L78 > > FuelPHP uses ENT_QUOTES: > > https://github.com/fuel/core/blob/1.9/develop/config/config.php#L459 I agree that we should switch the default to ENT_QUOTES. I also agree that we should enable ENT_SUBSTITUTE by default. I don't see any downside to these two options. Would you like to submit a PR? Nikita
