Opened 6 years ago

Closed 6 years ago

#23502 closed New feature (wontfix)

Request for an escape_all filter for non alphanumeric chars with ASCII values less than 256

Reported by: djbug Owned by: nobody
Component: Utilities Version: 1.7
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If you want to put untrusted data in attributes, OWASP recommends escaping a lot more characters than what's needed for escaping untrusted data in HTML elements:

Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the &#xHH; format (or a named entity if available) to prevent switching out of the attribute. The reason this rule is so broad is that developers frequently leave attributes unquoted. Properly quoted attributes can only be escaped with the corresponding quote. Unquoted attributes can be broken out of with many characters, including [space] % * + , - / ; < = > and |.

The recommendation for Javascript escaping is somewhat similar, except for using \xHH format instead of &#xHH;. This would be a useful addition to security related utilities.

P.S. Another reference : http://wonko.com/post/html-escaping

Change History (1)

comment:1 Changed 6 years ago by Tim Graham

Resolution: wontfix
Status: newclosed

I think it would be better to start this off as a 3rd party package to prove there is sufficient interest for its inclusion in core.

Note: See TracTickets for help on using tickets.
Back to Top