Le 2012-04-01 13:49, Rouslan Placella a écrit :
On 01/04/12 13:11, Marc Delisle wrote:
Le 2012-03-31 11:02, Dieter Adriaenssens a écrit :
Op 28 maart 2012 14:37 heeft Marc Delisle marc@infomarc.info het volgende geschreven:
Le 2012-03-28 04:53, Michal Čihař a écrit :
Hi
Dne Tue, 27 Mar 2012 22:01:05 +0200 Dieter Adriaenssens dieter.adriaenssens@gmail.com napsal(a):
As discussed on the team meeting in February, I started creating a wiki page with some guidelines for avoiding security bugs [0]. The page is not finished yet, I just set out some ideas, that I will work out in the next few days. Feel free to comment, improve or add guidelines as you see fit.
Thanks, looks great so far!
Yes, thanks. I'm wondering, are there places where we really use htmlentities() for protection?
htmlentities() is not much used (see lower), shall we replace them all by htmlspecialchars and drop the htmlentities() from the guidelines?
It would be more prudent to have a look at them, one by one, and see their exact purpose.
You'd use htmlentities() when you need to escape single quotes, htmlspecialchars() doesn't do that.
From the PHP manual for htmlspecialchars(), we can use the ENT_QUOTES
flag which does this: "'" (single quote) becomes ''' only when ENT_QUOTES is set.
E.g.: $name = htmlentities("foo's bar", ENT_QUOTES); echo "<input name='name' value='$name' />";
Anyway, some of them are under libraries/tcpdf and some under /test.
In the PHP Architect guide to PHP security by one of the PHP core developers, I checked the chapter about XSS. I could not find a suggestion to use htmlentities(); however, htmlspecialchars() does not find all XSS, so they suggest using preg_replace() with some clever patterns.
Using htmlspecialchars() is sufficient to protect against XSS (and possibly messing up of the html structure), htmlentities() just converts more characters into their HTML character entity equivalents (for example ü will become ü)
Current occurences of escaping/sanitizing functions in PMA codebase:
htmlentities() : 51 htmlspecialchars() : 1041 PMA_sanitize() : 40 PMA_sanitize_file() : 3
Also I think we should talk about PMA_sanitize().
Yes, but it should not be used in all cases?
Maybe, but it would be slower than just plain htmlspecialchars(). Also, with the default parameters of PMA_sanitize(), it just replaces "<" and ">" and takes care of our special formatting codes.