Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:129681 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id E08771A00BC for ; Tue, 23 Dec 2025 11:42:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1766490169; bh=f+zrDv0Lp3YWfwiXniv0osBArZ8EQWzNVBK9ECdwdEI=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=ANLrobQR5V2msMB+V2jKt7Bzx5dkOz983Cw253QCcsieFfnkk7bTV9j+is48jDPXo vv63DUjOQY0tAPs9A4phfgROu6hezn1eLkD0LD8wq0L+UF/21g4tBG0/sf3vlXwFl6 VVO7lMIRtRrx4gc/BOb0eRaDMJD0Sto1DwpKtDoGhnCr1ABuSXlUmDWBveHeV/7LrY 2u4ezi/TSs9V+KRljX5vTg3BuQMhg7pPi3qSDY/A74NoaySJNXY05gWyuSDCTkNpj5 3kpUp2KyeB7dVxOzX88gWcUyn8ScWOSukm1/3N90rbh8r75R+EXsgEeqN95aKO+Jpz 9QIexwPgD9AVQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 8D1BF1804D9 for ; Tue, 23 Dec 2025 11:42:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from send106.i.mail.ru (send106.i.mail.ru [89.221.237.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 23 Dec 2025 11:42:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail4; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From:References :Cc:To:Subject:MIME-Version:Date:Message-ID:From:Sender:Reply-To:To:Cc: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner: List-Archive:X-Cloud-Ids:Disposition-Notification-To; bh=EYnKnsoezSPosB2mwTRqzpnNzCPrSRQuBYEW4Qx99X4=; t=1766490162; x=1766580162; b=AIJZ7cWkLU5OJc4+r3IIR6fTjOhpn+p1O7vfFJfW2AsShHTvLSi22pKKL9KwElNHCESpcwZZgVG UyE2XiFBvki5jLn8mmbTdDSh99rUVXSFwyy3Q64BtQJ8FXKuDAuVHcZkzlJIhRoY56zXIxLLpR5XA JCKKp7U5dUnEUoXL8mSB9qqBTfQ16kWAOWnOVrWqhpEHfS1Os0ycNPXp6AcxFJ2AwaIU8plgsDx0t xPAZD7nnvi3/sEohuPzJ3p3MItuhDXV9/skZaQQYwjU5ksUDwvZUl8Egru7JvYy5j3RL7KzfPo5HL 4uGQpP7GpM1nFDTwkM1RBXNHBK/pqt3lgZRA==; Received: by exim-smtp-7b4fb89df9-nlwvb with esmtpa (envelope-from ) id 1vY0mk-000000009St-2pBW; Tue, 23 Dec 2025 14:42:39 +0300 Message-ID: Date: Tue, 23 Dec 2025 16:42:38 +0500 Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PHP-DEV] [RFC Idea] Short echo tag with automatic HTML escaping () To: Andrey Andreev Cc: Anton Smirnov , internals@lists.php.net References: <7c592a80-76a5-4b16-9c7b-a354aa34802a@mail.ru> Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Authentication-Results: exim-smtp-7b4fb89df9-nlwvb; auth=pass smtp.auth=sergei_vi@mail.ru smtp.mailfrom=sergei_vi@mail.ru X-Mailru-Src: smtp X-4EC0790: 10 X-7564579A: 646B95376F6C166E X-77F55803: 4F1203BC0FB41BD9169BA2A4A1D10D00164394A0F46B71BA4166DF752894463E182A05F5380850408CB89B5EE895E1253DE06ABAFEAF67055523A184DE063315D3AE239DA8F430A691A9903E0A50C12E X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7952C4D7BD0BF3359EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637AC83A81C8FD4AD23D82A6BABE6F325AC2E85FA5F3EDFCBAA7353EFBB55337566C129B63D776724AD27E82024E3EA3A2E5BE28E8E9398981A99AB91A632EE21638EEF46B7454FC60B9742502CCDD46D0DD23BF7408B3F9022F6B57BC7E64490618DEB871D839B73339E8FC8737B5C224952D31B9D28593E51CC7F00164DA146DAFE8445B8C89999729449624AB7ADAF37F6B57BC7E64490611E7FA7ABCAF51C92176DF2183F8FC7C0A29E2F051442AF778941B15DA834481F9449624AB7ADAF37BA3038C0950A5D3613377AFFFEAFD269176DF2183F8FC7C0355B102EC304E3267B076A6E789B0E97A8DF7F3B2552694AD5FFEEA1DED7F25D49FD398EE364050F9647ADFADE5905B1F206494F22AA87D6B3661434B16C20ACC84D3B47A649675FE827F84554CEF5019E625A9149C048EE9ECD01F8117BC8BEE2021AF6380DFAD18AA50765F790063735872C767BF85DA227C277FBC8AE2E8B4E4EA94BC0D253D575ECD9A6C639B01B4E70A05D1297E1BBCB5012B2E24CD356 X-C1DE0DAB: 0D63561A33F958A5B1553560BAD963A45002B1117B3ED696CB36596DC4A201971A1B8FE1FED62FE8823CB91A9FED034534781492E4B8EEAD791A82C2CF97A158 X-C8649E89: 1C3962B70DF3F0AD73CAD6646DEDE1918E10F71CB4DF9F96AB70F9BE574AE9C625B6776AC983F447FC0B9F89525902EE6F57B2FD27647F25E66C117BDB76D65923381B1D23DABBA54E6F18969BA0806F45535F118B443A81571B958240F44518BBFBDBAF448DB2F9B8341EE9D5BE9A0AD69B97A3C1C8D7FAE58DCE7D26DD76708740E1780661B2526536EB022892E5344C41F94D744909CE2512F26BEC029E553CB3D282126E6E1124A389F0E278DBF4 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu53w8ahmwBjZKM/YPHZyZHvz5uv+WouB9+ObcCpyrx6l7KImUglyhkEat/+ysWwi0gdhEs0JGjl6ggRWTy1haxBpVdbIX1nthFXMZebaIdHP2ghjoIc/363UZI6Kf1ptIMVdtTL5f5BIXbxj/NqGLcNDU= X-Mailru-Sender: 474170D26F205C1D0BD6AEE7EFD74FAEF284BC1A0D7F48C9B951B70A5BD4BD8E20D92E5F2B9C56D646A0A24852759D8536311F12C71828C63DDE9B364B0DF289A372462D1A417A85CA9B01087240937D0D4ABDE8C577C2ED X-Mras: Ok From: sergei_vi@mail.ru (Sergei Issaev) On 12/23/25 16:12, Andrey Andreev wrote: > On Tue, Dec 23, 2025 at 12:30 PM Sergei Issaev wrote: > > > Yes, h() works — and many projects already define it. But that’s > exactly > the problem: everyone reinvents it, often with slightly different > flags, > encoding assumptions, or error handling. This leads to: > - Inconsistent escaping across projects or even within the same > codebase. > - Junior developers skipping escaping because “it’s not built in”. > - Security relying on project-specific conventions rather than > language-level defaults. > > By providing a standard, secure-by-default output tag in core, PHP > would: > - Reduce boilerplate. > - Encourage safer habits out of the box. > - Give small projects (e.g., WordPress plugins, scripts, internal > tools) > a zero-dependency way to escape safely — without requiring them to > define or remember h(). > > > I can relate to these pain points, but I also think your conclusions > are a bit of wishful thinking. > > Junior developers would still not use it, because they'd need to know > it first - just like h(). Even seasoned developers would avoid it > because many will deem the syntax to be ugly, and the solution > imperfect. And security gets a band-aid instead of proper protection, > which is more dangerous than you'd think - I've seen it time and time > again, some feature offers limited security benefits, people only care > to remember that "it's secure", use it for everything without critical > thought, and you end up with masses of developers believing that they > write secure code when it's not even close to that. Then PHP has to > take the blame for providing insecure XSS escaping. You are correct that the syntax alone cannot provide comprehensive XSS protection, and it is important not to create a false sense of security. I will remove direct mentions of XSS from the description to avoid misleading anyone. My main goal is not to replace contextual escaping, but to offer a standard, recognizable syntax for a frequent operation — outputting HTML-escaped strings. Yes, developers currently use htmlspecialchars(), wrappers like , etc. But it is precisely the lack of a unified, "native" method that creates inconsistency and inconvenience. Language evolution often follows the path of simplifying routine operations: array() → [], cumbersome isset() checks → the concise ??. Similarly, could become the same standard and expected way for safe output as