From: masakielastic at gmail dot com Operating system: PHP version: 5.5.0 Package: JSON related Bug Type: Feature/Change Request Bug description:new function for preventing XSS attack
Description: ------------ Although JSON_HEX_TAG, JSON_HEX_APOS, JSON_HEX_QUOT, JSON_HEX_AMP options were added in PHP 5.3 for preventing XSS attack, a lot of people don't specify these options. https://github.com/search?l=PHP&q=json_encode&ref=advsearch&type=Code The one of PHP's goal is to provide a secure way for creating web application without CMSes and frameworks. The one of mesures for the problem is providing new function with make these options default. Adding recommend opitons as a default also make sense. function json_secure_encode($value, $options = 0, $depth = 512) { // JSON_NOTUTF8_SUBSTITUTE // an option replacing ill-formd byte sequences with substitute characters // https://bugs.php.net/bug.php?id=65082 $options |= JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_HEX_AMP | JSON_NOTUTF8_SUBSTITUTE; return json_secure_encode($value, $options, $depth); } A shortcut for these options may be helpful a bit. if (!defined('JSON_QUOTES')) { define('JSON_QUOTES', JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT); } The following RFC shows various functions for less options. Escaping RFC for PHP Core https://wiki.php.net/rfc/escaper Ruby on Rails provide json_escape via ERB::Util. http://api.rubyonrails.org/classes/ERB/Util.html OWAPS shows the guidelines for XSS attack. RULE #3.1 - HTML escape JSON values in an HTML context and read the data with JSON.parse https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Shee t#RULE_.233.1_- _HTML_escape_JSON_values_in_an_HTML_context_and_read_the_data_with_JSON.parse As a sidenote, the default HTTP headers of Rails include "X-Content-Type-Options: nosniff" for IE. http://edgeguides.rubyonrails.org/security.html#default-headers https://github.com/rails/docrails/blob/master/actionpack/lib/action_dispatch/rai ltie.rb#L20=L24 The following articles describe JSON-based XSS exploitation. http://blog.watchfire.com/wfblog/2011/10/json-based-xss-exploitation.html https://superevr.com/blog/2012/exploiting-xss-in-ajax-web-applications -- Edit bug report at https://bugs.php.net/bug.php?id=65257&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=65257&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=65257&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=65257&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=65257&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=65257&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=65257&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=65257&r=needscript Try newer version: https://bugs.php.net/fix.php?id=65257&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=65257&r=support Expected behavior: https://bugs.php.net/fix.php?id=65257&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=65257&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=65257&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=65257&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65257&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=65257&r=dst IIS Stability: https://bugs.php.net/fix.php?id=65257&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=65257&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=65257&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=65257&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=65257&r=mysqlcfg