Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:129676 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 08E2C1A00C1 for ; Tue, 23 Dec 2025 10:10:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1766484616; bh=7hGKPVjO2FldBu0gWkmU5mR7XAQ67vRyr3+2tszy/T8=; h=Date:From:Cc:In-Reply-To:References:Subject:From; b=B3Y91rUJBH3AL6NKkzDIo542RGU27BGAhD4JetHqK5hRfONtPUQjRM5fxINNz4hdJ sI3cvpL4SkBmaKowHpP/blNMPPpWeqUS4rxwDMS36je1H+oLg7V5wMYfsT/LY/MRWq cnS7wvI+UYXZBWNZyvb/J4OWyum9wDAU7qEl5axRYmlb1DDMrwvTdSXLN5eio/16Nm 1Dqhn5WNxknaEGokjzUIOcHq5lk/BVpFmNlvctmrkfE9qO3pLR8ZQXWCDUp0UNjdG+ +VxjqMfL6WPJG2iyEW/TIhnE3NLB5e/QBfbNDvZyUkUdLMNR0uK/J25cusZKjIdDAk mRIt0zMtjgUAA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 654861804DE for ; Tue, 23 Dec 2025 10:10:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE, MISSING_HEADERS,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from fhigh-a4-smtp.messagingengine.com (fhigh-a4-smtp.messagingengine.com [103.168.172.155]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 23 Dec 2025 10:10:12 +0000 (UTC) Received: from phl-compute-12.internal (phl-compute-12.internal [10.202.2.52]) by mailfhigh.phl.internal (Postfix) with ESMTP id 4007E14000E1 for ; Tue, 23 Dec 2025 05:10:07 -0500 (EST) Received: from phl-imap-05 ([10.202.2.95]) by phl-compute-12.internal (MEProxy); Tue, 23 Dec 2025 05:10:07 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bottled.codes; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to; s=fm2; t=1766484607; x=1766571007; bh=7hGKPVjO2FldBu0gWkmU5mR7XAQ67vRyr3+2tszy/T8=; b=z2xPgnZ39Y+3 pU6nG4LTIHjIngQ+/eX0ssIRNmCHCZM/m3OdKb9zYKyr5JVpmJ/aXn1V8R0Y9cnC SknbuW4VRHPppRoZ0hRv1NrnSa+KmsJEzmO8csegqdmDgnLKcumEc0Vv8UilwYPP A3lovm5hWkNn9LOa6MTtxzCYLTsYvVbvNprx5sHWgIlFlsYJ8GLPhS42g/W98a1K Xw4pGHD8na4z61gr2tP1/Yb+dKogOr1PAlQXZDVuDDdxVGuDotyNL5ALcK5Glrfj /190iDXzra13i5nnEIqpdIKObIv+BpGgnaAkMjWt03fAdNnwEmNWWc5AY4DSGJTW HvKEuScAaA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1766484607; x=1766571007; bh=7hGKPVjO2FldBu0gWkmU5mR7XAQ67vRyr3+ 2tszy/T8=; b=ol7p0OFqNYPHaxWXASqnABxM1rdCcfCsKt5YsWDUXJIasK/MMVP gLz2c/fRHuEK2TJK8i7sz5JxdHQ3LxKPcyl46IHxpwv0JICiz3keRMaBhb5OJvy4 Niy2Zy98p7KXPIknrgyVuB5WRJsO83oBECr7z5/uvJ/2K+MJNdsi5GHfhcDjeHqU SS3Kfc3vdY0onmRb1nu/KLbOhA3yZr5sC0LUQKk0bemwPX3kr0LVTIECrLAt1Nc9 7ssahsUbHTr+N2LguAwT9kcoIcc10zycMtWMhWTq+a2t7zVxzcQxmABwiyuV4hlz hyJHw6HSkkHJtISYWBiswMsQv5RrRvEx8fw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdehleehgecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecumhhishhsihhnghcuvffquchfihgvlhguucdlfedtmdenuc fjughrpefoggffhfevkfgjfhfutgesrgdtreerredtjeenucfhrhhomhepfdftohgsucfn rghnuggvrhhsfdcuoehrohgssegsohhtthhlvggurdgtohguvghsqeenucggtffrrghtth gvrhhnpeffudeigfdtgfevgfeuteejveeltdeftedtheffhfehvdduuefhhfdvvddtffdv keenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehroh gssegsohhtthhlvggurdgtohguvghspdhnsggprhgtphhtthhopedupdhmohguvgepshhm thhpohhuthdprhgtphhtthhopehinhhtvghrnhgrlhhssehlihhsthhsrdhphhhprdhnvg ht X-ME-Proxy: Feedback-ID: ifab94697:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id 0EE571820054; Tue, 23 Dec 2025 05:10:07 -0500 (EST) X-Mailer: MessagingEngine.com Webmail Interface Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 X-ThreadId: AyzdLeoGi4Zc Date: Tue, 23 Dec 2025 11:09:46 +0100 Cc: internals@lists.php.net Message-ID: <090074b5-8c44-4373-8834-5e49c611b17b@app.fastmail.com> In-Reply-To: References: <7c592a80-76a5-4b16-9c7b-a354aa34802a@mail.ru> Subject: Re: [PHP-DEV] [RFC Idea] Short echo tag with automatic HTML escaping () Content-Type: multipart/alternative; boundary=06bca448b71444f987af631f4e806ac2 From: rob@bottled.codes ("Rob Landers") --06bca448b71444f987af631f4e806ac2 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Tue, Dec 23, 2025, at 10:55, Andrey Andreev wrote: > Hi Sergei, >=20 > XSS escaping is unfortunately not as simple as that. Templating engine= s are context-aware and can know whether to apply escaping for free-form= text or an attribute (which can often also be validated by type), speci= fic tag behaviors, and even whether the output is to be executed as HTML= , XML, CSS, JS, etc. >=20 > One-size-fits-all escaping that doesn't take such context into account= is not effective and even makes things worse by giving developers a fal= se sense of security. >=20 > Cheers, > Andrey. Hi Andrey, Which template engines are context aware? The only ones I'm aware of is = my own and Latte (which take a similar approach but is quite architectur= ally different). =E2=80=94 Rob --06bca448b71444f987af631f4e806ac2 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
On Tue, Dec = 23, 2025, at 10:55, Andrey Andreev wrote:
Hi Sergei,<= /div>

XSS escaping is unfortunately not as simple as = that. Templating engines are context-aware and can know whether to apply= escaping for free-form text or an attribute (which can often also be va= lidated by type), specific tag behaviors, and even whether the output is= to be executed as HTML, XML, CSS, JS, etc.

One-size-fits-all escaping that doesn't take such context into accoun= t is not effective and even makes things worse by giving developers a fa= lse sense of security.

Cheers,
Andrey= .

Hi Andrey,

<= /div>
Which template engines are context aware? The only ones I'm aw= are of is my own and Latte (which take a similar approach but is quite a= rchitecturally different).

= =E2=80=94 Rob
--06bca448b71444f987af631f4e806ac2--