Comments (5)
Are you asking to add more characters to the whitelist, so they don't get encoded?
Maybe you could argue that certain characters like ":" don't need to be escaped, but it's easier to have a very small white-list of "known good" characters ([^a-z0-9,\.\-_]
), than trying to work out which characters are allowed in each context.
For anyone not familiar with the background... the reason escapeHtmlAttr()
encodes more aggressively than escapeHtml()
is for non-quoted attributes.
Lets say someone did:
$url = 'https://www.example.com/';
<a href=<?= $escaper->escapeHtmlAttr($url) ?>>
Notice that it does not include quote marks.
This creates the fairly "ugly" output:
<a href=https://www.example.com/>
What happens if $url
was provided by the user (maybe a link to their website), and they set it to:
$url = 'https://www.example.com/ onclick=do_evil_thing';
Without using escapeHtmlAttr()
, it would create the perfectly valid:
<a href=https://www.example.com/ onclick=do_evil_thing>
This means they can create an onclick event handler on your website :-)
You could still use escapeHtml()
or htmlspecialchars()
, but you must make sure your attributes are quoted.
<a href="<?= $escaper->escapeHtml($url) ?>">
So that it creates:
<a href="https://www.example.com/">
Or, if you want to use htmlspecialchars()
, don't forget to use it in full:
htmlspecialchars($url, ENT_QUOTES | ENT_SUBSTITUTE, 'utf-8')
PS: Have a look at adding a CSP (Content Security Policy), and set it so that it does not allow unsafe-inline
for scripts or styles. This will probably require you to make some changes, but it adds a second line of defence against this problem, where any attributes like onclick
would be blocked by the browser.
from zend-escaper.
@craigfrancis
Thanks for your explanation! I think, this could improve the documentation.
from zend-escaper.
"Ugly" is not the problem when security-sensitive contexts. Also, most source viewers will already make these attributes simple to read (Firefox does, for example).
As for the size, gzip compression generally deals with it.
from zend-escaper.
That not easy to understand where is security improvements here.
For example, why "dot" is secure character but "semicolon" is not?
As for the size: On my example cyrillic page where escapeHtmlAttr partially used:
68988 bytes - escaped only quotes and angle brackets
83611 bytes - escaped by escapeHtmlAttr (+20%)
Same with gzip
11116 bytes
11790 bytes (+6%)
Indeed, the size is not crucial.
from zend-escaper.
This repository has been closed and moved to laminas/laminas-escaper; a new issue has been opened at laminas/laminas-escaper#3.
from zend-escaper.
Related Issues (14)
- Check For Blockquotes In Docs
- Provide View Helper? HOT 2
- [ZF2] placeholder, value attributes in form doesn't show cyrillic HOT 8
- Escaper - htmlAttrMatcher gives a wrong encoding HOT 7
- Escaper should use [:alnum:] instead [a-z0-9] HOT 1
- HtmlAttr, Js, and Css escapers fail for characters outside the BMP HOT 7
- HTML escaping forward slash HOT 2
- Add PHP 7.2 support
- Documentation for the "Good" URL escaping is still not good HOT 1
- Check All Headers In Documentation HOT 1
- Check Documentation Code Blocks HOT 1
- Check Documentation For Other Things
- Check Documentation Tables HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zend-escaper.