Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:129691
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id 99B911A00BC
	for <internals@lists.php.net>; Thu, 25 Dec 2025 09:51:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1766656296; bh=3ejJb5WwnGQ3CbY5OPd4slEZHPbOtzMT+p+0IUPNvWU=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=hX4LUftpFR2PPJxsY6345nAmSRaOrbz36wSqXNhVZaGyWcgcbrTh/yWmEPVQA3pka
	 Pdxwf4tHqrjYn2R4psBu59Rgki96w95rPX/ECcO6UFSjX3zOTPG/LL2chXWJif8oRS
	 /WOwBq8fxnbydG5mvJoGrD4YtUjqBE9O+zwktVVdaLTcJpaGBKeFIue34TKB8NVR5F
	 GtTQgK5HuN50hT5vSOlQ+orbBhvmygmoOyaMGTnN/ao9AA470XXJ/Bfm6guQN78gc7
	 3y/0900HjpjoQ+kDYQ6mdOr/hb5tJ4L0LUAXcqWW4K59LjmkOij/JFQ4f3qcjwjeNB
	 aTNU6xZXLMTew==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 38242180077
	for <internals@lists.php.net>; Thu, 25 Dec 2025 09:51:34 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <sergei_vi@mail.ru>
Received: from send218.i.mail.ru (send218.i.mail.ru [95.163.59.57])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 25 Dec 2025 09:51:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru;
	s=mail4; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From:References
	:To:Subject:MIME-Version:Date:Message-ID:From:Sender:Reply-To:To:Cc:
	Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:
	List-Archive:X-Cloud-Ids:Disposition-Notification-To;
	bh=a2N6Gc7jAT/1+DNYXLh8/HxqQ1EguZDJxb9KX/MzFLQ=; t=1766656288; x=1766746288; 
	b=JleTRg8Dp5ux0LRmc+zKCmolIxXH3PvJzidn/pfv+vgV3aXLFntnZUREc2Qxs6+23cIDt18uVTa
	/dj5PvHnYKPz9WvDnt7n6lYXieu9rp9MNFpxhJgv1puscJp/6NTLCOTO/qMFkcIIUUwbeU7v4yi/j
	DU8Q0UGBU0POHkPzw8m7iRrW6tYMg/ond7WqUzuGWN4URI79o2xR8bEoA4/U/x8xyU3OFIACxIdsq
	5f53mWSYQGqj8jLWRTH59Hx4+mzeAjf+EADtcqLvIgWy95fUL10eHURBmSWFvC1QGQ5fDUE/057pu
	k3U90CWhNSpvq0ngbHrH0z8xVVu5CiVvFSYA==;
Received: by exim-smtp-7b4fb89df9-449cf with esmtpa (envelope-from <sergei_vi@mail.ru>)
	id 1vYi0B-00000000Snw-3Bfr; Thu, 25 Dec 2025 12:51:26 +0300
Message-ID: <2354ce9a-2444-435c-91be-2ca8fbd02f91@mail.ru>
Date: Thu, 25 Dec 2025 14:51:23 +0500
Precedence: list
list-help: <mailto:internals+help@lists.php.net>
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PHP-DEV] [RFC Idea] Short echo tag with automatic HTML escaping
 (<?~ ... ?>)
To: Rob Landers <rob@bottled.codes>, Anton Smirnov <sandfox@sandfox.me>,
 internals@lists.php.net
References: <7c592a80-76a5-4b16-9c7b-a354aa34802a@mail.ru>
 <dd9cb977-37d4-4e33-ae0f-65c02502d8f9@sandfox.me>
 <c35b9f9b-9896-4b40-82fa-6d69f33b901f@mail.ru>
 <03590ce8-8037-4409-bc0e-603c692fe349@sandfox.me>
 <827cd223-226d-43c6-97f6-ccbe5492fb5e@mail.ru>
 <f31c5a9c-38ad-40ba-8db5-42d1c4a6b2eb@app.fastmail.com>
Content-Language: en-US
In-Reply-To: <f31c5a9c-38ad-40ba-8db5-42d1c4a6b2eb@app.fastmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Authentication-Results: exim-smtp-7b4fb89df9-449cf; auth=pass smtp.auth=sergei_vi@mail.ru smtp.mailfrom=sergei_vi@mail.ru
X-Mailru-Src: smtp
X-7564579A: 78E4E2B564C1792B
X-77F55803: 4F1203BC0FB41BD91C727A7BAB8B3706F696822EDD5E27AD84EEE2EA74E57104182A05F5380850409CFDA955E765FC8C3DE06ABAFEAF6705891186E2B6C08BB735D8CF1F79C9047CC94F5D657025D6F1
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7F35A5D86BDFCC4EDEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637FE9EFE935CD7C6AE8638F802B75D45FF914D58D5BE9E6BC1A93B80C6DEB9DEE97C6FB206A91F05B2434E0729BD75A4782E070BE324C7D3C4B1E98F41D21C23A3BB0A4F435E46E6718B35066C979671628AA50765F7900637A75BF415DD9A57EF389733CBF5DBD5E913377AFFFEAFD269176DF2183F8FC7C07E7E81EEA8A9722B8941B15DA834481FCF19DD082D7633A0EF3E4896CB9E6436389733CBF5DBD5E9D5E8D9A59859A8B6957A4DEDD2346B42CC7F00164DA146DA6F5DAA56C3B73B237318B6A418E8EAB8D32BA5DBAC0009BE9E8FC8737B5C2249CB3CB8E9EF962DC476E601842F6C81A12EF20D2F80756B5FB606B96278B59C4276E601842F6C81A127C277FBC8AE2E8BE270C32E94023BD73AA81AA40904B5D99C9F4D5AE37F343AD1F44FA8B9022EA23BBE47FD9DD3FB595F5C1EE8F4F765FC72CEEB2601E22B093A03B725D353964B0B7D0EA88DDEDAC722CA9DD8327EE4930A3850AC1BE2E7355705F49E3A860CEDC4224003CC83647689D4C264860C145E
X-C1DE0DAB: 0D63561A33F958A59D1B1B91F502C2D95002B1117B3ED696927794839FD549386E5F408120975D33823CB91A9FED034534781492E4B8EEAD0D89974173551D4FBDAD6C7F3747799A
X-C8649E89: 1C3962B70DF3F0AD73CAD6646DEDE1918E10F71CB4DF9F9677DD89D51EBB774225B6776AC983F447FC0B9F89525902EE6F57B2FD27647F25E66C117BDB76D659DD807C7182322A4A8E89EED16092A638B8702440D140BF2854D78BAAD77FC24A5A3811B88B484797B8341EE9D5BE9A0A65EA828CB6E80AD22C51C6B2B743F3EFEC16B191DED0DF8F6536EB022892E5344C41F94D744909CE2512F26BEC029E553CB3D282126E6E1124A389F0E278DBF4
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu53w8ahmwBjZKM/YPHZyZHvz5uv+WouB9+ObcCpyrx6l7KImUglyhkEat/+ysWwi0gdhEs0JGjl6ggRWTy1haxBpVdbIX1nthFXMZebaIdHP2ghjoIc/363UZI6Kf1ptIMVdtTL5f5BIXbi9er/8PFqxI=
X-Mailru-Sender: 474170D26F205C1D8FCCF7D8FDD0330E8A1B6379CBA0691BB951B70A5BD4BD8ED7CF13827C8595A9E06E9EA040CFE58236311F12C71828C63DDE9B364B0DF289A372462D1A417A85CA9B01087240937D0D4ABDE8C577C2ED
X-Mras: Ok
From: sergei_vi@mail.ru (Sergei Issaev)

Hi!

On 12/24/25 13:14, Rob Landers wrote:
 > Maybe, you should consider something like this:
 >
 > <?:html: or <?:h:
 > <?:attr:
 > <?:url:
 > <?:js:
 > <?:css:

That’s an interesting idea! However, it goes beyond the scope of this 
RFC, which aims only to introduce a concise shorthand for the frequently 
used <?= htmlspecialchars(...) ?> pattern.

A more comprehensive solution with context-specific escaping—for 
example, for HTML, attributes, URLs, JavaScript, or CSS—would indeed be 
better implemented at the templating engine level or as a dedicated module.

Moreover, as other participants in the discussion rightly pointed out, 
relying solely on automatic escaping at the rendering layer may create a 
false sense of security if developers don’t fully consider the output 
context in which data is used. In fact, such syntax doesn’t inherently 
improve security—it primarily increases coding convenience. True safety 
still depends on an explicit and context-aware choice of encoding method.

Summary of the proposal:
Introduce a new short echo tag:

```

<?: $expr ?>

```

which compiles to:

```

<?php echo htmlspecialchars($expr); ?>

```

The encoding will be determined automatically via the current 
`default_charset` setting, as `htmlspecialchars()` does by default.

The behavior flags can be configured via a new INI directive: 
`short_echo_specialchars_flags`. By default, it matches the flag values 
used by `htmlspecialchars()`.

Thank you to everyone who contributed to the discussion.


Best regards,
Sergei Issaev