Opened 10 years ago
Closed 10 years ago
#23502 closed New feature (wontfix)
Request for an escape_all filter for non alphanumeric chars with ASCII values less than 256
| Reported by: | djbug | Owned by: | nobody |
|---|---|---|---|
| Component: | Utilities | Version: | 1.7 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
If you want to put untrusted data in attributes, OWASP recommends escaping a lot more characters than what's needed for escaping untrusted data in HTML elements:
Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the &#xHH; format (or a named entity if available) to prevent switching out of the attribute. The reason this rule is so broad is that developers frequently leave attributes unquoted. Properly quoted attributes can only be escaped with the corresponding quote. Unquoted attributes can be broken out of with many characters, including [space] % * + , - / ; < = > and |.
The recommendation for Javascript escaping is somewhat similar, except for using \xHH format instead of &#xHH;. This would be a useful addition to security related utilities.
P.S. Another reference : http://wonko.com/post/html-escaping
I think it would be better to start this off as a 3rd party package to prove there is sufficient interest for its inclusion in core.