HTML escaping forward slash

[lindonb]

OWASP recommends escaping the forward slash character in addition to the other characters normally escaped with PHP's htmlspecialchars() method. Any thought to adding that to the escapeHTML() method?

[padraic]

As far as I know, no modern browser currently in operation would be vulnerable to that character. Putting it another way:

• It's a null end tag, e.g. <img src="foo"/ - note the missing closing > which is interpreted as a closed tag by an agent supporting null end tags from SGML. Similarly: <title/This is a title/ is a delimited variant considered closed.
• An agent supporting null end tags, meeting a modern variant... <img src="foo"/> might decide the final > comes after the tag is closed, and print it. You might see recommendations to inject a space after the / and before the > intended to max compatibility with older user agents.
• Most user agents think spewing lots of > symbols throughout a page's text is a Bad Idea for compatibility and usability reasons. So they simply do not support null end tags. That should be true of any 21st century browser.

All that said, there's no specific reason why there would not be a user agent which does support null end tags in one of their SGML or HTML profiles (not XML AFAIK where the null end tag must be enclosed). You might have to build that agent yourself though, or dig up a copy of something from the 90s.

[weierophinney]

This repository has been closed and moved to laminas/laminas-escaper; a new issue has been opened at laminas/laminas-escaper#2.