[whatwg] base64 entities

On 25.08.2010, at 23:46, Aryeh Gregor wrote:

>> These cases can be secured without any new features in browsers (by escaping whitespace using numeric entities):
>> 
>> function htmlescape($str) {
>>        return preg_replace('/[\s<>"\'&]/e','"&".ord("$0").";"',$str);
>> }
> 
> That doesn't work in <script> for text/html, does it?

Ah, indeed.

Another tricky case came to my mind, which entities cannot secure (unless special magic is defined for the new entity):

onclick="show('&base64;')"

> These are reasonable points.  How many vulnerabilities would it
> actually prevent in practice if htmlspecialchars() were replaced with
> this everywhere?  XSS is usually when you don't escape things at all,
> not when you escape them in a slightly wrong way.  Easy escaping in
> <script> and <style> would be nice, though (or is there already some
> way to do that?).


In PHP json_encode() works great for outputting data in JS (and can be configured to JS-escape HTML-unsafe chars too), but I feel like I'm the only person who knows about it :)

-- 
regards, Kornel Lesi?ski

Received on Thursday, 26 August 2010 01:00:59 UTC