Security::htmlentities instead of htmlspecialchars

[ounziw]

I propose to use FuelPHP's Security::htmlentities instead of htmlspecialchars

http://fuelphp.com/docs/classes/security.html#method_htmlentities

The reason is,
Japanese language uses UTF-8 encoding,
and FuelPHP's Security::htmlentities automatically sets encoding to UTF-8
(If FuelPHP is configured to use UTF-8, Security::htmlentities uses UTF-8).

[sdrdis]

Hi!

Sorry about the delay. We are not sure we understood your issue; do you have any bug / warning / encoding error ?

The thing is that htmlentites does much more than htmlspecialchars. We didn't succeed to reproduce any issue using htmlspecialchars and japanese characters, but since it is documented that this function use ISO-8859-1 encoding for php < 5.4.0 (http://www.php.net/manual/en/function.htmlspecialchars.php), we just implemented our own \Security::htmlspecialchars function:

novius-os/core@abebdac

Is it what you were asking for ? If yes do you need us to commit it in master/chiba ?

Thanks 😄

[ounziw]

We didn't succeed to reproduce any issue using htmlspecialchars and japanese characters,

Yes, in normal cases, nothing is bad.
When no encoding is set, and attackers insert invalid encoded characters, some of them may pass unescaped.
http://www.tokumaru.org/d/20090930.html
http://www.tokumaru.org/d/20100927.html#p01 (these posts are from Japanese blog, written by a security master)

So htmlspecialchars($s, ENT_QUOTES, 'UTF-8') or htmlentities($s, ENT_QUOTES, 'UTF-8') is recommended, since setting the encoding is no harm.