Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:129683
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id 613F81A00BC
	for <internals@lists.php.net>; Tue, 23 Dec 2025 15:43:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1766504624; bh=LAStUbk7YADjhWOnEJ5d+gUTGsffWBx0IQkm+A/yw7k=;
	h=Date:From:Subject:To:References:In-Reply-To:From;
	b=UR6xcvYYkLgsiR2rJvm/j5JdowRpfuLRoaLmGyL4/RLlNjOqD/O0xs7bHyAU4VFTn
	 7+zVcKzht3FC0JfYUKWj7fPm2rR3uQj4E/z3FG6IBEqDZjiYW+xPZnq6uma+LkV+l7
	 +x068L5ZCa2ScZp0isEeJvWTkUpzoMn7DN0kMUtDDfnATdr0qfl2kZ+r+QSu9ggOPf
	 gG34UxIWllZLkQzE3jML2d/soMxV7bBmxeND+MpjXoKnzy2+um9f8LQHRFDi1HJ+l3
	 jMHL8JkJAvJx96Zx6++a8iNSaDWxgqo9jiiUw9isSXa6dG1cX05E6fw/maxwzNyo26
	 iPgm5efovF28w==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id AED29180087
	for <internals@lists.php.net>; Tue, 23 Dec 2025 15:43:43 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <sandfox@sandfox.me>
Received: from mail-108-mta186.mxroute.com (mail-108-mta186.mxroute.com [136.175.108.186])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 23 Dec 2025 15:43:43 +0000 (UTC)
Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com)
 (Authenticated sender: mN4UYu2MZsgR)
 by mail-108-mta186.mxroute.com (ZoneMTA) with ESMTPSA id 19b4be151170004eea.001
 for <internals@lists.php.net>
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Tue, 23 Dec 2025 15:43:36 +0000
X-Zone-Loop: 7db3d845073cd00aee5201c3bb2459fa9ca6f03693b9
X-Originating-IP: [136.175.111.3]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sandfox.me;
	s=x; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:
	Subject:From:MIME-Version:Date:Sender:Reply-To:Cc:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID; bh=vdL5S8PJnmM7HtvA+m4a8RvTM6M/eLd/SI2M6XKrzqE=; b=xAcxYx
	j8l9ADm9pv1w4lcPJLjm5a6c+IdCSaVyD2bObo8R8D+tQAfDeJ+U/NZFJvqOhLD0GcklCt21DojzY
	oxMfd5PISQLaQSzxX8d/BFQaSMSsWqCw1uPNf3nVfemEl01zX3z1RRl2lWmHpQ+pKHhxwFVVME1dG
	tajujPVWK5m4Afy3i/dN5X8VWbDXDeviZAcC8RXYreQZWHaKdr5T8ehxini9z51roxqm4vP2kxQIZ
	vqP+C3uk4mt7nDFLLRSukUvweoeErxq65/QVyWyKQELR7aPW7YucaIH/SIB6fkujeNqjdcSyvmihB
	CRC0A+QbDstjaWqjQyLVisL8dGbg==;
Message-ID: <03590ce8-8037-4409-bc0e-603c692fe349@sandfox.me>
Date: Tue, 23 Dec 2025 17:43:29 +0200
Precedence: list
list-help: <mailto:internals+help@lists.php.net>
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PHP-DEV] [RFC Idea] Short echo tag with automatic HTML escaping
 (<?~ ... ?>)
To: internals@lists.php.net
References: <7c592a80-76a5-4b16-9c7b-a354aa34802a@mail.ru>
 <dd9cb977-37d4-4e33-ae0f-65c02502d8f9@sandfox.me>
 <c35b9f9b-9896-4b40-82fa-6d69f33b901f@mail.ru>
Content-Language: en-US
In-Reply-To: <c35b9f9b-9896-4b40-82fa-6d69f33b901f@mail.ru>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Authenticated-Id: sandfox@sandfox.me
From: sandfox@sandfox.me (Anton Smirnov)



On 23/12/2025 12:26, Sergei Issaev wrote:
> However, I’d like to gently push back on two points:
> 1. <?~ vs <? (~$expr) under short_open_tag=On
> 
> You're correct that with short_open_tag=1, <?~ $x ?> would currently be 
> parsed as <? (~$x) ?>. But in practice:
> - short_open_tag has been disabled by default since PHP 5.4 (2012).

But there is no plan to remove them, see

https://wiki.php.net/rfc/deprecate_php_short_tags_v2
https://wiki.php.net/rfc/counterargument/deprecate_php_short_tags

> - Most modern frameworks and coding standards explicitly discourage its 
> use.

Since they are still a valid code, so PHP and various coding standard 
tools must parse them correctly.

> - The <?= short echo tag is always available regardless of 
> short_open_tag, precisely because it’s treated specially.
> 
> If the RFC were to propose <?~ as a new short echo variant (like <?=), 
> it would follow the same rule: always enabled, independent of 
> short_open_tag. That would eliminate the ambiguity you mentioned.

No it doesn't. The grammar should stay consistent for every possible ini 
state. I have a feeling that the tokenizer won't even compile with this 
syntax. (not sure)

> 2. Why not just use h()?
> 
> Yes, h() works — and many projects already define it. But that’s exactly 
> the problem: everyone reinvents it, often with slightly different flags, 
> encoding assumptions, or error handling. This leads to:
> - Inconsistent escaping across projects or even within the same codebase.
> - Junior developers skipping escaping because “it’s not built in”.
> - Security relying on project-specific conventions rather than language- 
> level defaults.

That also leads to a tailored experience suitable for a specific project 
and context. I also don't see an inconsistent escaping as a huge problem 
as long as it does its job.

> By providing a standard, secure-by-default output tag in core, PHP would:
> - Reduce boilerplate.
> - Encourage safer habits out of the box.
> - Give small projects (e.g., WordPress plugins, scripts, internal tools) 
> a zero-dependency way to escape safely — without requiring them to 
> define or remember h().

Secure today does not mean secure tomorrow. With the existing function 
you can simply update the default flag set, or users can update their 
flag sets ahead of PHP. For the syntax approach to be as flexible, it 
needs to be configurable by some global state (set_escape_flags()? ini 
config?) which is also a big no-no, that would be magic quotes all over 
again, just slightly more explicit.

Magic quotes btw should be a lesson that you can't make stuff secure by 
a simple all size fits all solution.

> Think of it like <?= ... ?>: it didn’t add new capability, but it made 
> the common case easier and more consistent. <?~ ... ?> aims to do the 
> same for secure output.

<?= exists since forever and "= $expr" is not a valid code. You should 
at least choose another symbol (like "<?*")

> That said, I hear your concern about hardcoded flags. If the community 
> prefers, the escaping behavior could even respect default_charset and a 
> new html_output_flags ini setting — though I’d argue opinionated 
> security defaults are better here.

See above, also respecting default_charset is a must imho, not everyone 
uses UTF-8, East Asia specifically. Introducing a core syntax and 
excluding a huge portion of users is not a good move.

-- 
Anton