Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:129674
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id 6726F1A00BC
	for <internals@lists.php.net>; Tue, 23 Dec 2025 10:04:38 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1766484283; bh=13qmMTS4605kqgEKOgMKCGv4IVHRbmC56Wv+OWx2d2U=;
	h=Date:Subject:To:Cc:References:From:In-Reply-To:From;
	b=BOHZ2qxAtFx0s5WmF5jaBDyl8v7dZj62gm5TvqTgBqQnEW58ugkPtMqchCqshhS6h
	 zJjWK1FvnPovR8CJRYYx0kUkefg80ui2VjM1QDUCCIfO4+sAxOMNP1DuIk43AAM3l8
	 AIYyfXcnd+vzzo4G6Xd/K6H8edxVhLXr6WtgjIDBV+0nxQBkKb3OZ2h3Eg0vSxjeGj
	 4wKJ6EBG9Vz5I0QcFv5XFSBGP58mOWSSZNrhNkzwIUXwq0Ke5W6Y1MDRUPl0P6mf35
	 E+qX4vhkeCWcCJ04FOJnO3pnP7XGs2CcmSxdaHKcgzOGz//xPOsuu99DVY82mtTbJ6
	 KewvEWyYQefBQ==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 2AB5418002F
	for <internals@lists.php.net>; Tue, 23 Dec 2025 10:04:41 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <sergei_vi@mail.ru>
Received: from send36.i.mail.ru (send36.i.mail.ru [89.221.237.131])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 23 Dec 2025 10:04:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru;
	s=mail4; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From:References
	:Cc:To:Subject:MIME-Version:Date:Message-ID:From:Sender:Reply-To:To:Cc:
	Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:
	List-Archive:X-Cloud-Ids:Disposition-Notification-To;
	bh=x4JDpOdvcgpDFmi1O2ejs73A0PAk7tgUqvuWb230Bmg=; t=1766484275; x=1766574275; 
	b=C5WXqfYdzGg/GAManf5tmUEvPiHepmbj0X9aBXlzDPZbWyDd7tyM/TYmjvune1roNLXW5EwP6hx
	9acpLCZCYh3CfwKmpr05HWJ/Fgt3fADABccM5ugF7Q5V2BwrXhpSfRpR9AL+64MicSmHYStZwVgdF
	ApYYJiROJ6wTpEOLLjC9JtqsIpu8i5gI/H/6DhnMrkms8I3A/0Spiutrv89LO1gdA20mCKlF+7Cp/
	qyX31kcrAojIKoNzMX4rwG2aSGNSWUY08tyE+/ur+g/p3Hem6bLo+xjLjz10XwkiYcREGZkU9U5jL
	w6tZlhxv69lZqxLZZZjm5IYxm1+nyOpoXmTw==;
Received: by exim-smtp-7b4fb89df9-8zdd6 with esmtpa (envelope-from <sergei_vi@mail.ru>)
	id 1vXzFo-0000000013q-3OcF; Tue, 23 Dec 2025 13:04:33 +0300
Message-ID: <be4ebdd5-e0df-474d-af62-ba4f60a32999@mail.ru>
Date: Tue, 23 Dec 2025 15:04:32 +0500
Precedence: list
list-help: <mailto:internals+help@lists.php.net>
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PHP-DEV] [RFC Idea] Short echo tag with automatic HTML escaping
 (<?~ ... ?>)
To: Andrey Andreev <narf@devilix.net>
Cc: internals@lists.php.net
References: <7c592a80-76a5-4b16-9c7b-a354aa34802a@mail.ru>
 <CAPhkiZxrhx5_T2ygss4P3RhdsfeK_2sfA4zcmLjJxm+_x0Cc5Q@mail.gmail.com>
Content-Language: en-US
In-Reply-To: <CAPhkiZxrhx5_T2ygss4P3RhdsfeK_2sfA4zcmLjJxm+_x0Cc5Q@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Authentication-Results: exim-smtp-7b4fb89df9-8zdd6; auth=pass smtp.auth=sergei_vi@mail.ru smtp.mailfrom=sergei_vi@mail.ru
X-Mailru-Src: smtp
X-7564579A: B8F34718100C35BD
X-77F55803: 4F1203BC0FB41BD9169BA2A4A1D10D00A39EF65B925BA2F3EC769FAEFE07FE1D182A05F538085040A669DE5B074ECB353DE06ABAFEAF6705F72EC303E6EF2EC6AACDA1C40553D73362E47C0D43DB26EF
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE77F5852B248C7AFEDEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637F88016AB904663428638F802B75D45FF914D58D5BE9E6BC1A93B80C6DEB9DEE97C6FB206A91F05B213DB6FC9CDA0EEFB2E070BE324C7D3C42412D829E8E5CA4FBB0A4F435E46E6718B35066C979671628AA50765F79006375A3B25A3A11CE7E4389733CBF5DBD5E913377AFFFEAFD269176DF2183F8FC7C0A3E989B1926288338941B15DA834481FCF19DD082D7633A0EF3E4896CB9E6436389733CBF5DBD5E9D5E8D9A59859A8B652D31B9D28593E51CC7F00164DA146DA6F5DAA56C3B73B237318B6A418E8EAB8D32BA5DBAC0009BE9E8FC8737B5C2249BFC5BFC0DB013F7476E601842F6C81A12EF20D2F80756B5FB606B96278B59C4276E601842F6C81A127C277FBC8AE2E8B81832CA52DEE17263AA81AA40904B5D99C9F4D5AE37F343AD1F44FA8B9022EA23BBE47FD9DD3FB595F5C1EE8F4F765FC72CEEB2601E22B093A03B725D353964B0B7D0EA88DDEDAC722CA9DD8327EE4930A3850AC1BE2E735837C4FEFBD186071C4224003CC83647689D4C264860C145E
X-C1DE0DAB: 0D63561A33F958A55640B5DECA4E166A5002B1117B3ED696D2FAAB2D60455267ED71F038FC046993823CB91A9FED034534781492E4B8EEADB73CFAAED92B6E13BDAD6C7F3747799A
X-C8649E89: 1C3962B70DF3F0AD73CAD6646DEDE1918E10F71CB4DF9F9677DD89D51EBB774225B6776AC983F447FC0B9F89525902EE6F57B2FD27647F25E66C117BDB76D6592A8575F47F8522E835FACD892F9060D7881AC045FB6E2BF294BA08E7A7F7953910508D5A6D43ADD2B8341EE9D5BE9A0A5E9DF75F5855D870E6CFA59C1696A1D2D9BE1D685820AD5B8CD93680B12512CF4C41F94D744909CE2512F26BEC029E553CB3D282126E6E1124A389F0E278DBF4
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu53w8ahmwBjZKM/YPHZyZHvz5uv+WouB9+ObcCpyrx6l7KImUglyhkEat/+ysWwi0gdhEs0JGjl6ggRWTy1haxBpVdbIX1nthFXMZebaIdHP2ghjoIc/363UZI6Kf1ptIMVdtTL5f5BIXb31OiwVvaXY8=
X-Mailru-Sender: 474170D26F205C1D0BD6AEE7EFD74FAE656F6CB5B4551F52B951B70A5BD4BD8EF2D2096C6317EE56963B07FDC01C0C9D36311F12C71828C63DDE9B364B0DF289A372462D1A417A85CA9B01087240937D0D4ABDE8C577C2ED
X-Mras: Ok
From: sergei_vi@mail.ru (Sergei Issaev)

Hi Andrey,

Thank you for the thoughtful reply — I completely agree that full 
context-aware escaping (like in Twig or Blade) is essential for complex 
or mixed-output scenarios.

My intention isn’t to replace that kind of intelligence, but rather to 
offer a simple, safe default for the most common case: outputting plain 
user-supplied text inside HTML text content or double-quoted attributes, 
e.g.:

```

<p><?~ $comment ?></p>
<input value="<?~ $name ?>">

```

In these cases, htmlspecialchars(..., ENT_QUOTES | ENT_HTML5, 'UTF-8') 
is sufficient and widely recommended. The goal isn’t to solve all XSS 
vectors, but to eliminate the most frequent footgun: forgetting to 
escape at all.

Developers would still be responsible for using proper context-specific 
escaping (or a full templating engine) when interpolating into <script>, 
styles, URLs, or unquoted attributes — but for the 80% case of rendering 
form values or content in standard HTML, <?~ would provide a concise, 
secure-by-default shortcut.

Think of it as similar to how <?= ... ?> made output easier than <?php 
echo ... ?> — not a security feature per se, but a nudge toward safer 
habits in everyday templating.

Would that narrower scope make the proposal more reasonable for core?

Best regards,
Sergei



On 12/23/25 14:55, Andrey Andreev wrote:
> Hi Sergei,
>
> XSS escaping is unfortunately not as simple as that. Templating 
> engines are context-aware and can know whether to apply escaping for 
> free-form text or an attribute (which can often also be validated by 
> type), specific tag behaviors, and even whether the output is to be 
> executed as HTML, XML, CSS, JS, etc.
>
> One-size-fits-all escaping that doesn't take such context into account 
> is not effective and even makes things worse by giving developers a 
> false sense of security.
>
> Cheers,
> Andrey.