php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #69908 Accept array for htmlspecialchars/htmlentities
Submitted: 2015-06-23 09:01 UTC Modified: 2020-10-27 10:35 UTC
Votes:2
Avg. Score:1.0 ± 0.0
Reproduced:0 of 2 (0.0%)
From: yohgaki@php.net Assigned: yohgaki (profile)
Status: Suspended Package: Strings related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
 [2015-06-23 09:01 UTC] yohgaki@php.net
Description:
------------
htmlspecialchars/htmlentities only accepts string to be escaped.
Accept array and escape all elements when array is passed to them.



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-23 09:01 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2015-06-23 09:08 UTC] requinix@php.net
What about all the other functions that take a string? add[c]slashes, bin2hex, md5, trim, [raw]urlencode... And what about html_entity_decode and htmlspecialchars_decode?
 [2015-06-23 09:39 UTC] yohgaki@php.net
I can take care of them also.

I also notice that current  php_html_entities implementation is not optimal.
It can take 1st parameter as zval and convert int/float simply to string.
 [2015-06-23 15:27 UTC] ircmaxell@php.net
I think this is the exact wrong way to solve the problem. Very rarely do you want to actually just do a "blind escape" of a bunch of variables. Instead, you need to know the context they will be used in. By accepting strings only, these security sensitive functions encourage you to use them exactly at the point of output, and hence in a contextual manner.

Instead, if you allow escaping arbitrary elements (arrays, objects, etc) then the contextual guarantees disappear, as well as pushing the escaping further from the point of output. This makes it harder to actually verify and reduces the overall security.

Not to mention that it makes the API a lot harder to follow and a lot more "magic". Both of which are clear negatives on a security sensitive API.
 [2015-06-24 02:27 UTC] yohgaki@php.net
@ircmaxwell
I can understand your argument very well. Output security depends on "output context". 

This change is intended to escape relatively large number of variable at once. For example, HTML tables that have a lot of variables. The objective is not for improving security, but performance.

We should balance security and performance/usability. Since I'm going to add array parameter support for conversion functions, we need to consider consistency also.

I'll create RFC for this.
 [2015-06-24 13:58 UTC] bishop@php.net
> Accept array and escape all elements when array is passed to them

Why not just:

array_map('htmlspecialchars', array ('&', '>', 'foo'));
 [2015-06-25 01:26 UTC] yohgaki@php.net
@bishop
It will make situation better, but not enough.

I'm looking for optimization on IoT devices that took more than 10 sec to generate log report page by PHP. More than half of time is took by htmlspecialchars() and do the best htmlspecialchars() can do.
 [2020-10-27 10:35 UTC] cmb@php.net
-Status: Assigned +Status: Suspended
 [2020-10-27 10:35 UTC] cmb@php.net
This feature request is obviously controversial, and as such needs
to be discussed on the internals mailing list[1].  If you're still
interested in having this, please forward your request to the
list.  For the time being, I'm suspending this ticket.

[1] <https://www.php.net/mailing-lists.php#internals>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 07 16:01:31 2024 UTC