Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:129673 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id E6DC71A00BC for ; Tue, 23 Dec 2025 09:55:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1766483720; bh=ednWHYrIyX8ja/oJr9M+mPzHK7YtneyVwOWCoP9jeTM=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=kSHaAXbIIFPM+qsoNve1yZ7c9VFYjvn0np5WZ9MrmfMd6rVBRgVuKFzyzDSlOvlTt jnTcfOgJq1dpKJZYCJhHkWKn3WteVHbjGQp/YJ3+8swykKdhqgVXktK8NENvz3rsg0 OrsppYzGeJg1n7tmMXOdpsb0DEPU0XNrueaDzpqDOkH0pAIZpGs1pl1NXyxveD6B1j Pt83aP0PAkPCSCz0kO8nRNvj+yiVOJgv8RepUldaQrrQlOkhWLpvAoIMT5ed+hmw50 I3dtQ84+TxtA8ozR4W2P1eB2AjA+ir3iT7v6gWcMEzE7YV9Hu+autw5z+9ANmBtpie OMXl5X4VMnaVA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id BF8B9180083 for ; Tue, 23 Dec 2025 09:55:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail-ua1-f44.google.com (mail-ua1-f44.google.com [209.85.222.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 23 Dec 2025 09:55:17 +0000 (UTC) Received: by mail-ua1-f44.google.com with SMTP id a1e0cc1a2514c-93f64ae67dbso1135698241.1 for ; Tue, 23 Dec 2025 01:55:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; t=1766483712; x=1767088512; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ednWHYrIyX8ja/oJr9M+mPzHK7YtneyVwOWCoP9jeTM=; b=r5Nq+Ke9e2l4omK6n+mWnPqQs2r11R5UZw5MdxJLYHDOiWBojDcBfGWrvV3eIEKW8B nKB44uS/IdselEPxZ3CdPjin7UBtxid4+gRkOnDSNHxgs40P+rxMgq0OFkcEXhVIJmVr EZXs8t6iQzMutTfJuSeio6A2s+leqXKS2l/zo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766483712; x=1767088512; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ednWHYrIyX8ja/oJr9M+mPzHK7YtneyVwOWCoP9jeTM=; b=myDQsPU7L2q9z3LRL8bvf2LTAnOOUvlQ1mO1gpTK4YXLrM9AEr44HLT/82Flo5UfNh pVorT854vnNh8GINedwqJooWfkCZVvvV6aWua6vv/GmvwCm/pQizcrmfjOBGEFlifoIz 9YnEgkpfBLk3NIEDNuLsSReW47XQOVcdL/8iQgBUA9S29oQ7HPPytAB3i1TltMhbJDvA okGpGQ5sysm86mvmQqJUIQh5/MVabqex7an/qZIfPaG0BKfi2KJ2HCwdvTBp36SgT5EA 4NTzipRN2/2ppFpmJ8x1rmnXyrjIcpDvqkbJ7jcCwzgYKVGezqmQlXmxz3KYIZdHIhNY oE+Q== X-Gm-Message-State: AOJu0YxmtNuwQ2q8WRZE2DORtjtGjEGrEdDDfwF0tuEYIJjsiTNeIS7K 40KD4nifoBaYmZPfBnoDw3xqldWOyjoJzy4C7CjOwxav7uVtNiDer2fvvr8qUObtfSBhssCqEev F00FAkxH80JoBr7hitMClizuJI7DF+dzggOqwjA3e X-Gm-Gg: AY/fxX6inpz+R9t2QPYTOK0hod5GXMVsXH+VYJs0dKV7FQvmNvxzM3lNpGGOR11Ly/1 Qq42n731idrumBRHKIX4wy2+1yMFkb61sQhWf0oZmCyYFti3pK9/rKu6maHVg2UJRCOPrcEY6Sz cioOZxTVLQwjIC6fWUeBpb7DceO286ZFdqYHr1P3D41t84pP2Jy1GPVsw2J0mhWvErveuDxtXDQ 35Wr0OO21IYa1pFAJ8dbGzYqau2ApE0hot/yXONvWZ3FLGqFZqxeIswmhyiL/L2Y9ELnAubSiZx Bfk46jV/ X-Google-Smtp-Source: AGHT+IGkcTSq9ymOsBs1XR+CGzZp2Ap7wHR7F6kvsJoi3m0+kqzxz2pSo8kXsJzeijKAsz6hTALb6nUmNpigOeh4TUw= X-Received: by 2002:a05:6102:568d:b0:5db:b7d9:4db with SMTP id ada2fe7eead31-5eb1a663348mr4415066137.14.1766483711868; Tue, 23 Dec 2025 01:55:11 -0800 (PST) Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 References: <7c592a80-76a5-4b16-9c7b-a354aa34802a@mail.ru> In-Reply-To: <7c592a80-76a5-4b16-9c7b-a354aa34802a@mail.ru> Date: Tue, 23 Dec 2025 11:55:00 +0200 X-Gm-Features: AQt7F2qxsYVZNgiB6zE4CKQH_jpLGOf_7A3z_rp9r_OWxb_vuINVxJdyn3Dz0Ss Message-ID: Subject: Re: [PHP-DEV] [RFC Idea] Short echo tag with automatic HTML escaping () To: Sergei Issaev Cc: internals@lists.php.net Content-Type: multipart/alternative; boundary="00000000000025cf4606469b8a71" From: narf@devilix.net (Andrey Andreev) --00000000000025cf4606469b8a71 Content-Type: text/plain; charset="UTF-8" Hi Sergei, XSS escaping is unfortunately not as simple as that. Templating engines are context-aware and can know whether to apply escaping for free-form text or an attribute (which can often also be validated by type), specific tag behaviors, and even whether the output is to be executed as HTML, XML, CSS, JS, etc. One-size-fits-all escaping that doesn't take such context into account is not effective and even makes things worse by giving developers a false sense of security. Cheers, Andrey. --00000000000025cf4606469b8a71 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Sergei,

XSS e= scaping is unfortunately not as simple as that. Templating engines are cont= ext-aware and can know whether to apply escaping for free-form text or an a= ttribute (which can often also be validated by type), specific tag behavior= s, and even whether the output is to be executed as HTML, XML, CSS, JS, etc= .

One-size-fits-all escaping that doesn't take= such context into account is not effective and even makes things worse by = giving developers a false sense of security.

Cheer= s,
Andrey.
--00000000000025cf4606469b8a71--