Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:106424 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 80303 invoked from network); 7 Aug 2019 22:28:21 -0000 Received: from unknown (HELO localhost.localdomain) (76.75.200.58) by pb1.pair.com with SMTP; 7 Aug 2019 22:28:21 -0000 To: internals@lists.php.net References: Date: Wed, 7 Aug 2019 20:55:20 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Posted-By: 94.4.34.143 Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecate PHP's short open tags,again From: markyr@gmail.com (Mark Randall) Message-ID: On 07/08/2019 20:45, Sergey Panteleev wrote: > Perhaps I missed and someone already suggested, > but didn't consider a compromise option: > just change the default value short_open_tag=false, > and DON'T removes the option from php.ini? Without the other changes, this would lead to potentially dangerous code and data leakage. It's not really viable to simply change the default, or remove the option, without creating a significant security risk. Upgrading from one version to the next, without explicitly specifying the configuration in the INI during the upgrade (if previously omitted), would treat code which was previously explicitly specified as valid, as no longer valid, and would expose it to the world. Mark Randall