Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63584
Return-Path: <charlie@charliesomerville.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 59477 invoked from network); 21 Oct 2012 13:35:12 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Oct 2012 13:35:12 -0000
Authentication-Results: pb1.pair.com smtp.mail=charlie@charliesomerville.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=charlie@charliesomerville.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain charliesomerville.com designates 209.85.220.170 as permitted sender)
X-PHP-List-Original-Sender: charlie@charliesomerville.com
X-Host-Fingerprint: 209.85.220.170 mail-vc0-f170.google.com  
Received: from [209.85.220.170] ([209.85.220.170:63014] helo=mail-vc0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 79/02-22055-F0AF3805 for <internals@lists.php.net>; Sun, 21 Oct 2012 09:35:11 -0400
Received: by mail-vc0-f170.google.com with SMTP id fo14so2181667vcb.29
        for <internals@lists.php.net>; Sun, 21 Oct 2012 06:35:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type
         :x-gm-message-state;
        bh=qsdCuoQWk1e7Bzlg2cmPu1rWXKTBfGsJvv11uHI+xs0=;
        b=BIUg7L8++EnKLDOPxdDwSmtW0dh93p1zDCrt3A5WZd9QPrbzAOAZXwaVNT4E1GLA7M
         yzkG2z5H7rNYgpKOwtHj9dbLhtBhuCrvcqPbIyqUkmqNw4MXtmEB+PO/HRuhG/6p3h3G
         arXdZwBwtuguuHQIKrRhDbmdzK6Cct/jDbXz61ee4EQal12nHeJv/OlfrNc6IwUGBCiW
         zTZEOR4nTmG5gblswQXRdAH9+O5fGNCYwiXhwijz7uA1uBsNpGbryVg565wwR2m7OWU1
         +wl8slHfisH31KllwXZhV1abqqQOZBvhF3OnocQs/+fqULky73h1xgldcA/WlteHfgUf
         d49g==
MIME-Version: 1.0
Received: by 10.58.152.101 with SMTP id ux5mr10920757veb.16.1350826509109;
 Sun, 21 Oct 2012 06:35:09 -0700 (PDT)
Received: by 10.59.6.137 with HTTP; Sun, 21 Oct 2012 06:35:09 -0700 (PDT)
Received: by 10.59.6.137 with HTTP; Sun, 21 Oct 2012 06:35:09 -0700 (PDT)
Date: Mon, 22 Oct 2012 00:35:09 +1100
Message-ID: <CAO8n+WKuPB7Q6LMUmBNMdtFoXFQguoXWo8OrqEcRqiuDJn5WgA@mail.gmail.com>
To: internals@lists.php.net
Content-Type: multipart/alternative; boundary=047d7b86f7463a884104cc91cebe
X-Gm-Message-State: ALoCoQn4ZdqDPweUF3Tsrj4dsP3RG/dl/+swaeDzlw9t7h9zra0mGegQXe+ooa1TiqPIpSoN9Fv9
Subject: HTML escaped short echo tag
From: charlie@charliesomerville.com (Charlie Somerville)

--047d7b86f7463a884104cc91cebe
Content-Type: text/plain; charset=UTF-8

Hi internals,

I'd like to propose a new short tag that echos with HTML escaping.

XSS is still a significant problem for PHP apps, but it is less common in
apps written with frameworks that provide automatic HTML escaping. However,
many developers are still writing straight PHP without any framework and a
feature like this in PHP itself could prove to be incredibly handy.

One approach I sometimes use is defining a global function called h() which
passes its argument through htmlspecialchars(). This works well, but it
still adds a little bit of unwanted mental and typing overhead.

Since escaping is desired the vast majority of the time , I'd like to see a
short tag for outputting with escaping. This tag could become the de facto
standard for echoing data, with <?= being seen as the more dangerous
alternative.

The new tag should be just as short and easy to type as <?=. Personally I'm
a fan of <?- or perhaps <?~.

Looking forward to hearing some feedback on this idea.

Cheers,

Charlie.

--047d7b86f7463a884104cc91cebe--