Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:129672
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id 195E71A00BC
	for <internals@lists.php.net>; Tue, 23 Dec 2025 09:06:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1766480803; bh=I9wnTmGEmbXXNdsOzNUphOyp5NzRxtcnqG8gfUQFjZU=;
	h=Date:To:From:Subject:From;
	b=HPBNK6aPkLOjBNF27srWYLgNsOw4FaKZqhSktGQ50N32FA7zp4eQEQJa4xj4T0lzt
	 1YWKS7tWbrtLnv1z4vgqiYiotIY0RJP2kWI4EO27a2nNtFIu/OrmMjFoj0O/1cNyvo
	 zf/8o2R1OlvRfkCJaQrPCScvrK3l/IxkUtdc6uTMk34k3NpWo8YrWLq+DZJgs8624o
	 eK6zYL++IdgBAXMHt71blWB3Q5FGniOgwz+2O7LP2S/SMZSqtWyvYu3Q6vD9M/pdPn
	 +LQ5QC6dCS72vnHnSZi82v/16VmcqnY7jV5auwBjqPEKqs1bP3aj1RcN1R5W7X7te+
	 +h/T2kPjJFMzA==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id D282B180087
	for <internals@lists.php.net>; Tue, 23 Dec 2025 09:06:42 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <sergei_vi@mail.ru>
Received: from send265.i.mail.ru (send265.i.mail.ru [95.163.59.104])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 23 Dec 2025 09:06:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru;
	s=mail4; h=Content-Transfer-Encoding:Content-Type:Subject:From:To:
	MIME-Version:Date:Message-ID:From:Sender:Reply-To:To:Cc:Content-Type:
	Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
	List-Owner:List-Archive:X-Cloud-Ids:Disposition-Notification-To;
	bh=geH1J+BaJYQsT+wSMVx/xRw3VI/qDyRvMCbcFRfOLM0=; t=1766480797; x=1766570797; 
	b=KSwMJaMKWYq2II7O1sQzoZ0x4l7Z3mU6AN9Xhe/u9gQhpePr5X78B9T/GkgFA3fq1Q1q+ebgeaL
	v8zvsK7wQlbgrBz/XdyefSsyTOS7OJhrFKbQlTN4xLglY6ATYxQFoJ+2QxqpF2jHrsTN+ZJhLikNy
	PG6hQYlJZWy3vZPtVL0S4l27s56i2+Ty9pst9hzXzn9D/yoE7RLGFA0gNsqfXTJO3kWbqKHYxG343
	KY3ozDiHYeJyB4Goy8waIcDDXBQDjjHozPnzSp480lIuY/TQKgeL4Zc1DecW4SGbFnS3P/I1jP+zG
	BHR3hIi/T7HuQhs5PC6qLkPXFx4QcdF0p0MQ==;
Received: by exim-smtp-7b4fb89df9-hdrvs with esmtpa (envelope-from <sergei_vi@mail.ru>)
	id 1vXyLi-00000000EtB-3KW1
	for internals@lists.php.net; Tue, 23 Dec 2025 12:06:35 +0300
Message-ID: <7c592a80-76a5-4b16-9c7b-a354aa34802a@mail.ru>
Date: Tue, 23 Dec 2025 14:06:34 +0500
Precedence: list
list-help: <mailto:internals+help@lists.php.net>
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: internals@lists.php.net
Subject: [PHP-DEV] [RFC Idea] Short echo tag with automatic HTML escaping (<?~ ... ?>)
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Authentication-Results: exim-smtp-7b4fb89df9-hdrvs; auth=pass smtp.auth=sergei_vi@mail.ru smtp.mailfrom=sergei_vi@mail.ru
X-Mailru-Src: smtp
X-7564579A: 646B95376F6C166E
X-77F55803: 4F1203BC0FB41BD9169BA2A4A1D10D004841E10CD62028A9775330A6F185131C182A05F538085040BA1B6565F1E3E2C73DE06ABAFEAF6705BABEAC053D6D05CE4C7127690FFFAFB2DC961F69A1D5625B
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE78EA80DE462DCD770EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637AC83A81C8FD4AD23D82A6BABE6F325AC2E85FA5F3EDFCBAA7353EFBB55337566EF210049E62C3CC58AC51E44166C26852B2F702C59A1011CEEAAA9CB6E2D8F778EEF46B7454FC60B9742502CCDD46D0D0839144E5BB460BAF6B57BC7E64490618DEB871D839B73339E8FC8737B5C224901F8F2FECC0250C8CC7F00164DA146DAFE8445B8C89999729449624AB7ADAF37F6B57BC7E64490611E7FA7ABCAF51C92176DF2183F8FC7C078FCF50C7EAF9C588941B15DA834481F9449624AB7ADAF37BA3038C0950A5D3613377AFFFEAFD269176DF2183F8FC7C0D51C44EAE4F6F3777B076A6E789B0E97A8DF7F3B2552694AD5FFEEA1DED7F25D49FD398EE364050F1E561CDFBCA1751F3D5BA627BF9F2FCFB3661434B16C20ACC84D3B47A649675FE827F84554CEF5019E625A9149C048EE9ECD01F8117BC8BEE2021AF6380DFAD18AA50765F790063735872C767BF85DA227C277FBC8AE2E8BAEFF4136F5E2B48575ECD9A6C639B01B4E70A05D1297E1BBCB5012B2E24CD356
X-C1DE0DAB: 0D63561A33F958A5478655EECE54CC025002B1117B3ED696AA59E3594C7C432CF09842853758E9E5277AA237ED671D4372AF3B35EA4094CC744B801E316CB65F9C5DF10A05D560A9D2B5782620B851B7C8C84E951CD0BE2F58C12E6D310A6D53587F3D2152687E5CA71A35648BE338CEED902CAAD3CD6B00BA7CCD254A1CF5E862DF4AA59CF45099638A446BE3E5C627BF0CFE790FC11A7261332C5CB50AE517BDAD6C7F3747799A
X-C8649E89: 1C3962B70DF3F0AD73CAD6646DEDE1918E10F71CB4DF9F96A0CBE312C330D7D583CD26C36C883521FC0B9F89525902EE6F57B2FD27647F25E66C117BDB76D6592146A1E64EC52210AD7EF7ACE6F1CBF48DF0467A08B52693FC0D3C136FC158DD064B2B5510A4BBF8B8341EE9D5BE9A0ADA0F0FE6837FAF23D2178B14C88547FE63D572CDCF2F56DF52EE4E5D9E54FDA44C41F94D744909CE2512F26BEC029E553CB3D282126E6E1124A389F0E278DBF4
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu53w8ahmwBjZKM/YPHZyZHvz5uv+WouB9+ObcCpyrx6l7KImUglyhkEat/+ysWwi0gdhEs0JGjl6ggRWTy1haxBpVdbIX1nthFXMZebaIdHP2ghjoIc/363UZI6Kf1ptIMVdtTL5f5BIXbRt6WIlRWVDM=
X-Mailru-Sender: 474170D26F205C1D0BD6AEE7EFD74FAEAD007E21A0EFB493B951B70A5BD4BD8ED1B6DB9179C53EB2EF14E3EC3073B18436311F12C71828C63DDE9B364B0DF289A372462D1A417A85CA9B01087240937D0D4ABDE8C577C2ED
X-Mras: Ok
From: sergei_vi@mail.ru (Sergei Issaev)

Hi internals,

I’d like to propose a small but security-relevant addition to PHP’s 
templating syntax: a new short echo tag that automatically applies 
secure HTML escaping.

**The problem**

Despite PHP being a perfectly capable templating language on its own, 
developers often reach for external templating engines (like Twig or 
Blade) primarily to get automatic HTML escaping and avoid XSS. This adds 
dependencies, complexity, and performance overhead — even when 95% of 
the project would be simpler with native PHP templates.

At the same time, manual escaping is error-prone:

```
<?= $user_input ?>          // ❌ dangerous
<?= htmlspecialchars($user_input, ENT_QUOTES | ENT_HTML5, 'UTF-8') ?>  
// ✅ but verbose
```

Many security vulnerabilities stem from the sheer verbosity of the safe 
version.

**The proposal**

Introduce a new short echo tag:

```
<?~ $expr ?>
```

which compiles to:

```
<?php echo htmlspecialchars($expr, ENT_QUOTES | ENT_SUBSTITUTE | 
ENT_HTML5, 'UTF-8'); ?>
```

Key points:
- Uses htmlspecialchars() (not htmlentities()) — sufficient and standard 
for XSS prevention.
- Hardcodes secure flags and UTF-8 encoding (aligned with default_charset).
- Syntax is currently a parse error → no BC break.
- The <?~ tag is available whenever <?= is available.

This gives native PHP templates a secure-by-default output mechanism 
without requiring a full templating engine.

**Why not just use Twig/Blade?**

There’s nothing wrong with those engines — **but PHP itself is already a 
great template language**. Requiring a separate dependency just for 
auto-escaping feels like overkill for many projects (e.g., small apps, 
WordPress plugins, legacy modernisation).

**About implementation**

I’m not a C developer and don’t have experience with the Zend Engine 
internals. However, I’m fully committed to:
- Writing and maintaining a complete RFC document
- Participating actively in design discussions (syntax, flags, security 
model)
- Testing any implementation or prototype
- Collaborating with anyone willing to help with the parser/lexer patch

If the idea gains support, I hope a volunteer from the internals team 
might be interested in guiding or contributing the low-level implementation.

**Next steps**

I’d appreciate your thoughts — especially on:
- Whether this functionality belongs in core
- Security assumptions (e.g., hardcoded UTF-8, flag choices)
- Syntax alternatives (<?~ vs <?h= vs others)

Thank you for your time and consideration.

Best regards,
Sergei Issaev