Hi all,
I would like to write RFC that sets appropriate/better defaults by default.
For example, htmlspecialchars has following definition now.
string htmlspecialchars ( string $string [, int $flags = ENT_COMPAT |
ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool
$double_encode = true ]]] )
http://php.net/htmlspecialchars
Besides HTML5 allows non-quoted attributes, $flag default is better to be
"ENT_QUOTES | ENT_HTML401" as HTML5 accepts both " and ' as quote chars.
Another example is http_build_query(). It should escape ' ' as '%20' by
default, not '+'.
Followings are quick list that I think of.
===php.ini===
- session.use_strict_mode=On : Enable strict session ID validation by
default
- session.serializer=php_serialize : Use plain PHP's serialize than 'php'
which is made for register_globals=On.
- session.hash_function=1 : Use SHA1 rather than MD5
- session.http_only=On : Session ID should not be able to be accessed from
JS for security reasons.
- opcache.enable=1
===functions===
- session_set_cookie_params()
BEFORE
void session_set_cookie_params ( int $lifetime [, string $path [, string
$domain [, bool $secure = false [, bool $httponly = false ]]]] )
AFTER
void session_set_cookie_params ( int $lifetime [, string $path [, string
$domain [, bool $secure = false [, bool $httponly = TRUE ]]]] )
Note: session_destory()/session_regenerate_id() should set destory flag to
TRUE, but I'll address this issue on different RFC.
- htmlspecialchars()
BEFORE
string htmlspecialchars ( string $string [, int $flags = ENT_COMPAT |
ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool
$double_encode = true ]]] )
AFTER
string htmlspecialchars ( string $string [, int $flags = ENT_QUOTES |
ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool
$double_encode = true ]]] )
- htmlentities()
BEFORE
string htmlentities ( string $string [, int $flags = ENT_COMPAT |
ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool
$double_encode = true ]]] )
AFTER
string htmlentities ( string $string [, int $flags = ENT_QUOTES |
ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool
$double_encode = true ]]] )
- htmlspecialchars_decode()
BEFORE
string htmlspecialchars_decode ( string $string [, int $flags = ENT_COMPAT
| ENT_HTML401 ] )
AFTER
string htmlspecialchars_decode ( string $string [, int $flags = ENT_QUOTES
| ENT_HTML401 ] )
- html_entities_decode()
BEFORE
string html_entity_decode ( string $string [, int $flags = ENT_COMPAT |
ENT_HTML401 [, string $encoding = ini_get("default_charset") ]] )
AFTER
string html_entity_decode ( string $string [, int $flags = ENT_QUOTES |
ENT_HTML401 [, string $encoding = ini_get("default_charset") ]] )
- http_build_query()
BEFORE
string http_build_query ( mixed $query_data [, string $numeric_prefix [,
string $arg_separator [, int $enc_type = PHP_QUERY_RFC1738 ]]] )
AFTER
string http_build_query ( mixed $query_data [, string $numeric_prefix [,
string $arg_separator [, int $enc_type = PHP_QUERY_RFC3986 ]]] )
- json_encode()
BEFORE
string json_encode ( mixed $value [, int $options = 0 [, int $depth = 512
]] )
AFTER
string json_encode ( mixed $value [, int $options = JSON_HEX_TAG |
JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT [, int $depth = 512 ]] )
Note: These options provide safety when JSON is embedded into
HTML/JavaScript context.
- uniq_id()
BEFORE
string uniqid ([ string $prefix = "" [, bool $more_entropy = false ]] )
AFTER
string uniqid ([ string $prefix = "" [, bool $more_entropy = TRUE ]] )
There may be others. Please add them if there are any
obsolete/unreasonable/insecure defaults.
Any comments?
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.net
