Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:129686 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id A04E51A00BC for ; Wed, 24 Dec 2025 08:15:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1766564135; bh=HZIovbNH2dhUdCuj0ZiBnFjfBi4Jy5DJbBP86u+PtdQ=; h=Date:From:To:In-Reply-To:References:Subject:From; b=nydL4182ARkYvQNzjfjGZy8e+8gZ6gOuKeZDus1CDPwQmdI3wtIF3f1qBVbp523n5 FNLI+6PD+0X3oKqtu6YnpiaTEm5c+nXJdaDqiODp5QVNQHshxfTBNCyeXzlyLbBO0u wiDoAHkJK3+BAuWU9fYoEEzDHTFw2Y7/9Y64FCV8mA+PNxJCuLNJ/nDMXTtd1jggg+ uq6mCfJhEEVg56NNOu/O5y8OEtr2k6BT1V1+PCOOBOMiwZxs6b+cJBor/nu57Qi3dS Sj4579vaeIfM0p/ERS9ydUz8cIjxYFuBMgiBEZO+VPO3eSw83DHlVjmdim+NGr7E6e DEd3z0jTQ/ioQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 9B852180053 for ; Wed, 24 Dec 2025 08:15:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE, RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from fhigh-b8-smtp.messagingengine.com (fhigh-b8-smtp.messagingengine.com [202.12.124.159]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 24 Dec 2025 08:15:23 +0000 (UTC) Received: from phl-compute-12.internal (phl-compute-12.internal [10.202.2.52]) by mailfhigh.stl.internal (Postfix) with ESMTP id C9E767A00D0; Wed, 24 Dec 2025 03:15:17 -0500 (EST) Received: from phl-imap-05 ([10.202.2.95]) by phl-compute-12.internal (MEProxy); Wed, 24 Dec 2025 03:15:17 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bottled.codes; h=cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1766564117; x=1766650517; bh=5JKUXu5Twu /xaP4XpKNG9Ucsrb3+QX+Fop1WC8Idc4E=; b=ZjmFEoZhSqKXHtcjjMzoxCtwjN AX9G2lj4C5TNb48xtDOyYqd0hooNPE0G7chl6azheiTbx4gHrW3jmye+tvKZ8tjW ua0YiLxdxrWe4bvLpy3JOAdcEuPmnk1grL7fGWkX3VZ1VuVO5GUvgytYFaDhGVer +zgqh+31VoHbFaQykBEY4LA4JdsAuwmGh9wqGFWrowbRlSRgZekf3DDvwiIk8Web wX6OvRWDNLgd/mtNRIxdUgN2PLhHkP+2TbHyGd+3l9nj9wY4GpRWBs1woexOKmgA 964pvga6lZst6HGqrvWRSYFcAojiX+dxiipsU5o7YHmJat3eOBCQOVNxU5Qg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1766564117; x=1766650517; bh=5JKUXu5Twu/xaP4XpKNG9Ucsrb3+QX+Fop1 WC8Idc4E=; b=I5vGiQZlz00hfh6xRL7wSEzrt3nuq+HSDjNWUtvbUugb0wUCccp 6DKzD5GnBG/rb5yn6QaQ0AqDVmcrLGJYKnXj2ti9DfJBRdbVNFHoDXOjMavmNejk AA/gYndlZdfr92FUiVSsOUs++bwGyvM442famiH5KISRMkcNyb+C4KLN9zhV+Zv4 6bE/ljkjiaAlM15GdYsVEFtod9km97TAAgMILdSsthJGjBghMeNXixlv8ARhopfr OFqj1fNrMzidT/FWAdEA36WtQqAq1Y7c7B/uavhKu7F8JhgzuByhABI6HtpZaBfG d1y/O+F8jGdy6fQU/DFc0+n6IpmM/WyFJhw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdeivddulecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecunecujfgurhepofggfffhvffkjghfufgtsegrtderreertd ejnecuhfhrohhmpedftfhosgcunfgrnhguvghrshdfuceorhhosgessghothhtlhgvugdr tghouggvsheqnecuggftrfgrthhtvghrnheptdeujedttefhueelhfdtleeiudetlefftd duleehffegtdeihefhleeijefgveegnecuvehluhhsthgvrhfuihiivgeptdenucfrrghr rghmpehmrghilhhfrhhomheprhhosgessghothhtlhgvugdrtghouggvshdpnhgspghrtg hpthhtohepfedpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepihhnthgvrhhnrghl sheslhhishhtshdrphhhphdrnhgvthdprhgtphhtthhopehsvghrghgvihgpvhhisehmrg hilhdrrhhupdhrtghpthhtohepshgrnhgufhhogiesshgrnhgufhhogidrmhgv X-ME-Proxy: Feedback-ID: ifab94697:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id DB13C1820054; Wed, 24 Dec 2025 03:15:16 -0500 (EST) X-Mailer: MessagingEngine.com Webmail Interface Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 X-ThreadId: AyzdLeoGi4Zc Date: Wed, 24 Dec 2025 09:14:56 +0100 To: "Sergei Issaev" , "Anton Smirnov" , internals@lists.php.net Message-ID: In-Reply-To: <827cd223-226d-43c6-97f6-ccbe5492fb5e@mail.ru> References: <7c592a80-76a5-4b16-9c7b-a354aa34802a@mail.ru> <03590ce8-8037-4409-bc0e-603c692fe349@sandfox.me> <827cd223-226d-43c6-97f6-ccbe5492fb5e@mail.ru> Subject: Re: [PHP-DEV] [RFC Idea] Short echo tag with automatic HTML escaping () Content-Type: multipart/alternative; boundary=8d2699a7153d4a34bf5c518b4eb708f6 From: rob@bottled.codes ("Rob Landers") --8d2699a7153d4a34bf5c518b4eb708f6 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Wed, Dec 24, 2025, at 05:28, Sergei Issaev wrote: > Hi Anton, >=20 > > See above, also respecting default_charset is a must imho, not=20 > everyone uses UTF-8, East Asia specifically. Introducing a core syntax=20 > and excluding a huge portion of users is not a good move. >=20 > The semantics of `` would be equivalent to: ` htmlspecialchars($expr, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5); ?>` = --=20 > that is, the encoding will be determined automatically via the current=20 > default_charset setting, as htmlspecialchars() does by default. >=20 > Best regards, > Sergei Issaev >=20 I know this is not your intent, but this will give people a false sense = of security. Much like Twig and Blade do today. Here's some examples where this breaks, written in the context of an htm= l doc: breaks with ";alert(1); // "... double encodes window.config =3D doesn't technically break ... but that would be a fun bug which would en= courage devs to just turn off escaping, which defeats the purpose. .... Maybe, you should consider something like this: "... window.config=3D .size { width=3D; } //prevents ;}.size:after { content=3D= "


On Wed, Dec 24, 2025, at 05:28, Sergei Issaev wrote:
Hi Anton,

> See above, also respecting default_charset i= s a must imho, not 
everyone uses UTF-8, East Asia specif= ically. Introducing a core syntax 
and excluding a huge p= ortion of users is not a good move.

The semanti= cs of `<?: $expr ?>` would be equivalent to: `<?php echo <= /div>
htmlspecialchars($expr, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML= 5); ?>` -- 
that is, the encoding will be determined a= utomatically via the current 
default_charset setting, as= htmlspecialchars() does by default.

Best regar= ds,
Sergei Issaev


I know this is not your intent, but this will give people a fal= se sense of security. Much like Twig and Blade do today.

<= /div>
Here's some examples where this breaks, written in the context= of an html doc:

<script>
 = ; const name =3D "<?: $name ?>";
</script>

breaks with ";alert(1); //

&l= t;a href=3D"/search?q=3D<?: $query ?>"...

double encodes

window.config =3D <?: json_e= ncode($config ?>

doesn't technically break .= .. but that would be a fun bug which would encourage devs to just turn o= ff escaping, which defeats the purpose.

....

Maybe, you should consider something like this:

<?:html: or <?:h:
<?:attr:
<?:url:
<?:js:
<?:css:

Then you only choose the one for your context:

const name =3D <?:js: $name ?>

<a href=3D"/search?q=3D<?:attr: $query ?>"...
=
window.config=3D<?:js: $config ?>

.size { width=3D<?:css: $width ?>; } //prevents ;}.size:af= ter { content=3D"<a..."

Its a bit more to ty= pe, but compared to googling the right way to do these in all the right = places and vetting/hoping that it is right... it seems worth it.

=E2=80=94 Rob
--8d2699a7153d4a34bf5c518b4eb708f6--