Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:129678 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 08CB91A00BC for ; Tue, 23 Dec 2025 10:26:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1766485602; bh=NOfJQ17L6uKhFOvXgwtMc8UF5RInS+sxgQv4IRW3qfo=; h=Date:Subject:To:References:From:In-Reply-To:From; b=P1rPN/KcdCrEBBkAmTjgUiXrA2MR6w/59Osr7hBmU8R187tG5qsZM/62Rn1mggIsy HCbr0+9GsH0+BC/mBP2qn3NreBVhsxGcz5wOMQuH27lMJTgVsZgAlfkb+Z/xLtRi9i aVdjDHQxdk7pQZqhBbon/Fon++ytbER3e9Np96Oqx7V1Ba5PfHmBJu34g+jTilKp0X 2jd+KZXbnsEZdwnEL03HMzuREvMXMtidUb4jBz1qPgpvsSBTIAe7tcA2HIy62tXgqE s27xB2zX2wK40ryQ8EryHo7HYSK/B9hEeIw3WqTjtyzJd9RstJb7CZnNrv1LxfebBI f0O61AlrO+lpA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id C9A5D180390 for ; Tue, 23 Dec 2025 10:26:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from send277.i.mail.ru (send277.i.mail.ru [95.163.59.116]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 23 Dec 2025 10:26:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail4; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From:References :To:Subject:MIME-Version:Date:Message-ID:From:Sender:Reply-To:To:Cc: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner: List-Archive:X-Cloud-Ids:Disposition-Notification-To; bh=dSIRMyq7KFunkK1vJQEjtl9Ce0By1BEqUMDyVkGuetA=; t=1766485592; x=1766575592; b=AnYqRkBQf2WZpt3Gw1F1cHSQzRVv8mnP/IkyC/1TwkHYCPrbmCG03DmYJpJTsiV703Q7Ymy0rFZ e78P0eWZcR19eq1tJoEuRGNt37dFU3dGdQIL1qG7Oh0yn9G5tTnnWwVGi2f3HUbYFFa1J8UAR8vkS PjBNJCQHRGK4t45JuYMWu/X2Kkt8VhvbSJEpLRMoNVn2xx0Vut49iIFR3nRQr7fRsawTP71M0ekzg 18JZ2V/mOCkkHNpfodg6F7maGkgXcOrf6OaxgTSIinKf4c6fmlPyps7Mi7FiYedteAe3vybzwu6/w YTGtT1ilR4XYmCwflZcUaY0ChXYoWMUsG4Sw==; Received: by exim-smtp-7b4fb89df9-j77gv with esmtpa (envelope-from ) id 1vXzb3-000000009O2-2soc; Tue, 23 Dec 2025 13:26:30 +0300 Message-ID: Date: Tue, 23 Dec 2025 15:26:29 +0500 Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PHP-DEV] [RFC Idea] Short echo tag with automatic HTML escaping () To: Anton Smirnov , internals@lists.php.net References: <7c592a80-76a5-4b16-9c7b-a354aa34802a@mail.ru> Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Authentication-Results: exim-smtp-7b4fb89df9-j77gv; auth=pass smtp.auth=sergei_vi@mail.ru smtp.mailfrom=sergei_vi@mail.ru X-Mailru-Src: smtp X-7564579A: 646B95376F6C166E X-77F55803: 4F1203BC0FB41BD9169BA2A4A1D10D0071EB34CDEF2671BC98AFF2FBD86E5187182A05F538085040258DB16F0A3946BC3DE06ABAFEAF670550182FCF8EB19FD0ED8F0296A6D973254E552D6BF4A3C874 X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7E50C24D7D7C3118AC2099A533E45F2D0395957E7521B51C2CFCAF695D4D8E9FCEA1F7E6F0F101C6759CC434672EE6371C2A783ECEC0211ADC4224003CC836476D5A39DEEDB180909611E41BBFE2FEB2B7D1F3D19F91B436D97FB85BED07DC9469BC99E0820914F619448D71D9BB82C9E0C819B32DFABC24A725E5C173C3A84C3DFC043C56F70D752117882F4460429724CE54428C33FAD305F5C1EE8F4F765FCF1175FABE1C0F9B6A471835C12D1D9774AD6D5ED66289B52BA9C0B312567BB23117882F446042972877693876707352033AC447995A7AD18CB629EEF1311BF91D2E47CDBA5A96583BA9C0B312567BB2376E601842F6C81A19E625A9149C048EE140C956E756FBB7AB341D7040ADD27A2D8FC6C240DEA76429C9F4D5AE37F343AA9539A8B242431040A6AB1C7CE11FEE32A336C65186350912D242C3BD2E3F4C6C4224003CC836476E2F48590F00D11D6E2021AF6380DFAD1A18204E546F3947CB11811A4A51E3B096D1867E19FE1407959CC434672EE6371089D37D7C0E48F6C8AA50765F7900637D5EBF5C1E6A9BE26EFF80C71ABB335746BA297DBC24807EABDAD6C7F3747799A X-C1DE0DAB: 0D63561A33F958A519CAE15150FE01055002B1117B3ED696ADE267C2B48A6141C89B063BDC7FAC35823CB91A9FED034534781492E4B8EEADC0A73878EBD0941BBDAD6C7F3747799A X-C8649E89: 1C3962B70DF3F0AD73CAD6646DEDE1918E10F71CB4DF9F9677DD89D51EBB774225B6776AC983F447FC0B9F89525902EE6F57B2FD27647F25E66C117BDB76D65937032C518D8077900CB40CBE9972DEE8BEB1D1C55F58C7410075B3EE41E404BB0E20AA1186046118B8341EE9D5BE9A0A675E262404B8F4191B288CF222798E0CB1F1397FA3BC384C8CD93680B12512CF4C41F94D744909CE2512F26BEC029E553CB3D282126E6E1124A389F0E278DBF4 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu53w8ahmwBjZKM/YPHZyZHvz5uv+WouB9+ObcCpyrx6l7KImUglyhkEat/+ysWwi0gdhEs0JGjl6ggRWTy1haxBpVdbIX1nthFXMZebaIdHP2ghjoIc/363UZI6Kf1ptIMVdtTL5f5BIXbTQ3YUwUKnJo= X-Mailru-Sender: 474170D26F205C1D0BD6AEE7EFD74FAE0E7A4019CD5FFD18B951B70A5BD4BD8EBA6ECEFD8A9A555015C3726575FFF91636311F12C71828C63DDE9B364B0DF289A372462D1A417A85CA9B01087240937D0D4ABDE8C577C2ED X-Mras: Ok From: sergei_vi@mail.ru (Sergei Issaev) Hi, Thank you for the feedback — you’re absolutely right that htmlspecialchars() is configurable for good reasons, and that a userland helper like h() already provides a concise escape hatch today. However, I’d like to gently push back on two points: 1. would currently be parsed as . But in practice: - short_open_tag has been disabled by default since PHP 5.4 (2012). - Most modern frameworks and coding standards explicitly discourage its use. - The : it didn’t add new capability, but it made the common case easier and more consistent. aims to do the same for secure output. That said, I hear your concern about hardcoded flags. If the community prefers, the escaping behavior could even respect default_charset and a new html_output_flags ini setting — though I’d argue opinionated security defaults are better here. Thanks again for the critique — it’s helping sharpen the idea. Best regards, Sergei On 12/23/25 15:07, Anton Smirnov wrote: > Hi! > > On 23/12/2025 11:06, Sergei Issaev wrote: >> which compiles to: >> >> ``` >> > ENT_HTML5, 'UTF-8'); ?> >> ``` > > htmlspecialchars is configurable for a reason and your flags are > arbitrarily different from the function default > >> - Syntax is currently a parse error → no BC break. > > It's not, you forgot about short_open_tag=1, in which case it's > interpreted as > > > I basically see no value over > > // included earlier > function h($s) > { >    return htmlspecialchars($s, ENT_QUOTES | ENT_HTML5, 'UTF-8'); > } > > // template > > > It's short, it does what you want, it's available today >