Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:48184
Return-Path: <mozo@mozo.jp>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 39102 invoked from network); 4 May 2010 04:07:22 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 May 2010 04:07:22 -0000
Authentication-Results: pb1.pair.com smtp.mail=mozo@mozo.jp; spf=permerror; sender-id=permerror
Authentication-Results: pb1.pair.com header.from=mozo@mozo.jp; sender-id=permerror
Received-SPF: error (pb1.pair.com: domain mozo.jp from 209.85.221.191 cause and error)
X-PHP-List-Original-Sender: mozo@mozo.jp
X-Host-Fingerprint: 209.85.221.191 mail-qy0-f191.google.com  
Received: from [209.85.221.191] ([209.85.221.191:58174] helo=mail-qy0-f191.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8B/50-35441-87D9FDB4 for <internals@lists.php.net>; Tue, 04 May 2010 00:07:21 -0400
Received: by qyk29 with SMTP id 29so4772956qyk.14
        for <internals@lists.php.net>; Mon, 03 May 2010 21:07:18 -0700 (PDT)
Received: by 10.229.187.208 with SMTP id cx16mr1691398qcb.66.1272946038202; 
	Mon, 03 May 2010 21:07:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.74.3 with HTTP; Mon, 3 May 2010 21:06:58 -0700 (PDT)
In-Reply-To: <4BDE0259.3090904@moonspot.net>
References: <4BDE0259.3090904@moonspot.net>
Date: Tue, 4 May 2010 13:06:58 +0900
Message-ID: <u2gcd1fb7541005032106qb7632b6cp2bd9b72137e9bd0b@mail.gmail.com>
To: Brian Moon <brian@moonspot.net>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Using default_charset for htmlspecialchars() and others
From: mozo@mozo.jp (Moriyoshi Koizumi)

Hi,

I am under the impression that we have to provide an alternative to
htmlspecialchars() that incorporates the following ideas:

- Shorter function name
  html_escape() for example. _h() would be much more preferable in
terms of preventing XSS ;-p
- Using default_charset as the default encoding for it.
- ENT_QUOTES as default.

Regards,
Moriyoshi

On Mon, May 3, 2010 at 7:53 AM, Brian Moon <brian@moonspot.net> wrote:
> I am not sure if this has been discussed or not. I will gladly make an RFC
> if not. I think it would be very intuitive if htmlspecialchars used the ini
> value default_charset as its default. And any function that takes an
> optional character set.
>
> A) Has this been discussed?
> B) If not, do others think it is worth of a proper RFC?
>
> There would be some BC breakage for sure as the default behavior would be
> changing.
>
> --
>
> Brian.
> --------
> brianlmoon@php.net
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>