> Le 6 janv. 2021 à 16:46, Nikita Popov <nikita....@gmail.com> a écrit : > > On Sat, Dec 26, 2020 at 12:03 PM Craig Francis <cr...@craigfrancis.co.uk> > wrote: > >> Hi, >> >> Could htmlspecialchars() use ENT_QUOTES by default? >> >> I recently worked on an example script, where I tried to keep it simple by >> using htmlspecialchars directly, e.g. >> >> echo "<img src='" . htmlspecialchars($url) . "'>"; >> >> I'd completely forgotten that single quotes are not escaped by default, >> creating a XSS vulnerability, e.g. >> >> $url = "/' onerror='alert(1)"; >> >> All the common frameworks I could find use ENT_QUOTES to do this safely >> (details below). >> >> Christoph (cmb69) suggests this was done for HTML4 compatibility, with >> older versions of PHP possibly having issues with numeric character >> references (a quick search suggests PHP 5.4?). >> >> PHP uses the numeric version ' with ENT_QUOTES, and it should continue >> to do so - because the named version, ' was added in HTML5, but can >> still cause problems with legacy parsers; for example Android 4, and the >> one still in use by Microsoft Outlook (&/>/< was in the >> original HTML spec, and " was added in HTML2). >> >> I'd also be tempted to suggest ENT_SUBSTITUTE should be included, as I >> prefer to keep as much of the valid data (rather than losing everything), >> but that's not as important as escaping the apostrophe by default. >> >> Craig >> >> >> >> >> WordPress uses ENT_QUOTES (ish). >> >> https://developer.wordpress.org/reference/functions/esc_html/ >> >> Laravel, with Blade, uses ENT_QUOTES: >> >> https://github.com/illuminate/support/blob/master/helpers.php#L118 >> >> Symfony or Slim, with Twig, uses ENT_QUOTES | ENT_SUBSTITUTE: >> >> >> https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L243 >> >> CodeIgniter uses ENT_QUOTES | ENT_SUBSTITUTE: >> >> >> https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/ThirdParty/Escaper/Escaper.php#L120 >> >> CakePHP uses ENT_QUOTES | ENT_SUBSTITUTE: >> >> https://github.com/cakephp/cakephp/blob/master/src/Core/functions.php#L67 >> >> YII uses ENT_QUOTES | ENT_SUBSTITUTE: >> >> >> https://github.com/yiisoft/yii2/blob/master/framework/helpers/BaseHtml.php#L111 >> >> Phalcon uses ENT_QUOTES: >> >> https://github.com/phalcon/phalcon/blob/v5.0.x/src/Html/Escaper.php#L78 >> >> FuelPHP uses ENT_QUOTES: >> >> https://github.com/fuel/core/blob/1.9/develop/config/config.php#L459 > > > I agree that we should switch the default to ENT_QUOTES. I also agree that > we should enable ENT_SUBSTITUTE by default. I don't see any downside to > these two options. > > Would you like to submit a PR? > > Nikita
For ENT_SUBSTITUTE, there has been https://bugs.php.net/bug.php?id=69450 <https://bugs.php.net/bug.php?id=69450>, but I don’t understand the objection in that bug report. Maybe there is some issue related to non-Unicode multibyte encodings? —Claude
