zend-escaper icon indicating copy to clipboard operation
zend-escaper copied to clipboard
verified publisher icon zendframework

HTML escaping forward slash

Open lindonb opened this issue 8 years ago • 2 comments

OWASP recommends escaping the forward slash character in addition to the other characters normally escaped with PHP's htmlspecialchars() method. Any thought to adding that to the escapeHTML() method?

lindonb avatar Apr 24 '17 19:04 lindonb

As far as I know, no modern browser currently in operation would be vulnerable to that character. Putting it another way:

  • It's a null end tag, e.g. <img src="foo"/ - note the missing closing > which is interpreted as a closed tag by an agent supporting null end tags from SGML. Similarly: <title/This is a title/ is a delimited variant considered closed.
  • An agent supporting null end tags, meeting a modern variant... <img src="foo"/> might decide the final > comes after the tag is closed, and print it. You might see recommendations to inject a space after the / and before the > intended to max compatibility with older user agents.
  • Most user agents think spewing lots of > symbols throughout a page's text is a Bad Idea for compatibility and usability reasons. So they simply do not support null end tags. That should be true of any 21st century browser.

All that said, there's no specific reason why there would not be a user agent which does support null end tags in one of their SGML or HTML profiles (not XML AFAIK where the null end tag must be enclosed). You might have to build that agent yourself though, or dig up a copy of something from the 90s.

padraic avatar Apr 25 '17 09:04 padraic

This repository has been closed and moved to laminas/laminas-escaper; a new issue has been opened at https://github.com/laminas/laminas-escaper/issues/2.

weierophinney avatar Dec 31 '19 21:12 weierophinney