Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:129680 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id D43021A00BC for ; Tue, 23 Dec 2025 11:12:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1766488344; bh=fFtxyRLmn3OssQ8jeoedkUVKr59Dz5h+4G02/unxQEE=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=dOPdNcSKMMQcKZBSa4Bv7qV4HeStlhT8dOhsCL5Ws3eq5RxY3WIQPB1tw4F0fnvf0 wOrfhgmVo2ObOBE+gOrqYr+aEt0b1jDlOpn8CFercBERGYxTZ4MELBSpsFR0S8PuA1 uYt4xAFQ5rrM28UrzjoOYUifQWeB/rWNvxTJVjXs4KdAt9nIvUElNDA2QfdbmIUKod 5+sUJMqluAj9si6J+/EBPPc+/Di6Z9tWb2P9k6af5KjduHnQU17t5FSov0hUH5RPOS JDykEryVzOe5SSn5jJrtSw0PBSj2gpp/ddgh1whzx7NtOzE4MJnVQOUS+Zs2UJyJ+S HKVjTB3ZeIzPg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 5BC69180084 for ; Tue, 23 Dec 2025 11:12:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail-ua1-f49.google.com (mail-ua1-f49.google.com [209.85.222.49]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 23 Dec 2025 11:12:18 +0000 (UTC) Received: by mail-ua1-f49.google.com with SMTP id a1e0cc1a2514c-941063da73eso3138342241.3 for ; Tue, 23 Dec 2025 03:12:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; t=1766488332; x=1767093132; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=fFtxyRLmn3OssQ8jeoedkUVKr59Dz5h+4G02/unxQEE=; b=lJ8oIOOOSqmJKsrdY+Gv6eX4S0lcJBMGwKGV5UEEgdRR0AxToe5EGt1p381/zYTklK eWtOn77pUMwzO4jbygjfMKd4n+GuxpCyQJyB9rc/2ylPS9w9hHX4uv06NdNHSpxCFI3a iBpGi8JcxBZYuBDM85wlYp+zF59O4P5y+/ens= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766488332; x=1767093132; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=fFtxyRLmn3OssQ8jeoedkUVKr59Dz5h+4G02/unxQEE=; b=rv0zHeHXYhlZfDPH93m7WcUKjlkqorDKvDPpGuGfSAcYSyLCNiMdiaSCW8kKgz5tVz ZMBiewTPWBJ5uFDT0oSPcap4ImukNOGNCyWUD6gsUnDvaDRFk5zCcM52ulX1dOFf7wcI Wppfs8pTlSPFnvOVe1kGFvlIN9XLBl21r37rXP36rZ1yvxngNuvuwsXMrBCZdMmXvx/H 6xGBjQSUJqnwp3+HOrjrLzGk2jYxgvYPRLlcpUGcxvDZr+ABwAATEfIbLExSjPQtOHxw bq0du5a0RPsiDL3ZQIGV6x5yRFIrOFqql3wIt04L1m+FmN61KsTiIk7KvW7R3vXObJvo iRDQ== X-Forwarded-Encrypted: i=1; AJvYcCUPcvgrWEV3gVsHk++raBU+sPN0pzvVAmLRq2IuV/0RvDgWNt2cy6zl+cBTCSpogsNHaxP0Qv7LbqI=@lists.php.net X-Gm-Message-State: AOJu0YxvvtmIenkSU9Qr0tphlVljXouk5l3AAO/PvH8QoFaxCEIikyK9 yU6fehdrEHFXtTp5cqDHv81MTbl15njvhANHvgQqt5Hjp6BW4N9Zvol23o8UI0klUUyNIr9Wefo jthVZty1jgNzcbtB68LxeMlMFzg++7UOMBrkDCzL1 X-Gm-Gg: AY/fxX6nZ7AOBPxVv3Ypev49JfUKn+1IrxaxVWseXdyYumChNWCjzAINJOm1MUo8jpN D3mnavR6rWfqAONle20bOFVAYQOC8QdYtVr64JrXg9vfwNXrRSL6ebBMnQtM99Uv4JBOul4PbK8 qe/uanoyrMdUJ7uMfv/8E83LVROdezFLo4iIW1a2/NN84/kr7Hnnksxd7/5Za0Uf0rxgAI2VgKD xi7KdTAZxh7rvB/io1oTVkTAepTvbX3BwXSvTWiUhsABu9EVPik+CYPJvpd0nBFdGJZZ1ZLyA== X-Google-Smtp-Source: AGHT+IGNQ/fFqLiaPu1kib/6XdxFQxUhZwA8Agvb/EDRe0z95i4DFP77U0VdaxTGe8jyjLjvkhkc27e5f9AllzIO6dg= X-Received: by 2002:a05:6102:4b8a:b0:5e1:866c:4f8a with SMTP id ada2fe7eead31-5eb1a7d4eb3mr5273527137.20.1766488332306; Tue, 23 Dec 2025 03:12:12 -0800 (PST) Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 References: <7c592a80-76a5-4b16-9c7b-a354aa34802a@mail.ru> In-Reply-To: Date: Tue, 23 Dec 2025 13:12:01 +0200 X-Gm-Features: AQt7F2q4nl43Y-nEvKUMlVxxxXQ3jIFZIejsQFSnt9zZld9f7N68ITjd-Rt7aAI Message-ID: Subject: Re: [PHP-DEV] [RFC Idea] Short echo tag with automatic HTML escaping () To: Sergei Issaev Cc: Anton Smirnov , internals@lists.php.net Content-Type: multipart/alternative; boundary="0000000000008c18cb06469c9db3" From: narf@devilix.net (Andrey Andreev) --0000000000008c18cb06469c9db3 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Dec 23, 2025 at 12:30=E2=80=AFPM Sergei Issaev = wrote: > > Yes, h() works =E2=80=94 and many projects already define it. But that=E2= =80=99s exactly > the problem: everyone reinvents it, often with slightly different flags, > encoding assumptions, or error handling. This leads to: > - Inconsistent escaping across projects or even within the same codebase. > - Junior developers skipping escaping because =E2=80=9Cit=E2=80=99s not b= uilt in=E2=80=9D. > - Security relying on project-specific conventions rather than > language-level defaults. > > By providing a standard, secure-by-default output tag in core, PHP would: > - Reduce boilerplate. > - Encourage safer habits out of the box. > - Give small projects (e.g., WordPress plugins, scripts, internal tools) > a zero-dependency way to escape safely =E2=80=94 without requiring them t= o > define or remember h(). I can relate to these pain points, but I also think your conclusions are a bit of wishful thinking. Junior developers would still not use it, because they'd need to know it first - just like h(). Even seasoned developers would avoid it because many will deem the syntax to be ugly, and the solution imperfect. And security gets a band-aid instead of proper protection, which is more dangerous than you'd think - I've seen it time and time again, some feature offers limited security benefits, people only care to remember that "it's secure", use it for everything without critical thought, and you end up with masses of developers believing that they write secure code when it's not even close to that. Then PHP has to take the blame for providing insecure XSS escaping= . Cheers, Andrey. --0000000000008c18cb06469c9db3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, Dec 23, 2025 at 12:30=E2=80=AFPM Serg= ei Issaev <sergei_vi@mail.ru>= ; wrote:

Yes, h() works =E2=80=94 and many projects already define it. But that=E2= =80=99s exactly
the problem: everyone reinvents it, often with slightly different flags, encoding assumptions, or error handling. This leads to:
- Inconsistent escaping across projects or even within the same codebase. - Junior developers skipping escaping because =E2=80=9Cit=E2=80=99s not bui= lt in=E2=80=9D.
- Security relying on project-specific conventions rather than
language-level defaults.

By providing a standard, secure-by-default output tag in core, PHP would: - Reduce boilerplate.
- Encourage safer habits out of the box.
- Give small projects (e.g., WordPress plugins, scripts, internal tools) a zero-dependency way to escape safely =E2=80=94 without requiring them to =
define or remember h().

I can relate to the= se pain points, but I also think your conclusions are a bit of wishful thin= king.

Junior developers would still not use it, be= cause they'd need to know it first - just like h(). Even seasoned devel= opers would avoid it because many will deem the syntax to be ugly, and the = solution imperfect. And security gets a band-aid instead of proper protecti= on, which is more dangerous than you'd think - I've seen it time an= d time again, some feature offers limited security benefits, people only ca= re to remember that "it's secure", use it for everything with= out critical thought,=C2=A0and you end up with masses of developers believi= ng that they write secure code when it's not even close to that. Then P= HP has to take the blame for providing insecure XSS escaping.
Cheers,
Andrey.
--0000000000008c18cb06469c9db3--