Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63585 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 61068 invoked from network); 21 Oct 2012 13:44:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Oct 2012 13:44:10 -0000 Authentication-Results: pb1.pair.com header.from=dragoonis@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=dragoonis@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.210.170 as permitted sender) X-PHP-List-Original-Sender: dragoonis@gmail.com X-Host-Fingerprint: 209.85.210.170 mail-ia0-f170.google.com Received: from [209.85.210.170] ([209.85.210.170:50575] helo=mail-ia0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7A/52-22055-92CF3805 for ; Sun, 21 Oct 2012 09:44:10 -0400 Received: by mail-ia0-f170.google.com with SMTP id e16so1715355iaa.29 for ; Sun, 21 Oct 2012 06:44:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7sFHEkZlLvHZ7Q/uQiy+kaIKaJSAmJjxuJo3zDyaDu0=; b=r/+pPynnkOeOseoHqD6F8JsbxYNrXwSiGLAJ/JccTmyN0Ceqyx734hjNPs/jHYN9WN 8CBBO0YtPn5du7DhzTIpoqmVlcJnOjC3KekRg7uxjs41kFnMy3jvBw2WQeyovT7iS63f O7+z1I5eErOl8vwwwLej6LqYDzSnAbAdmXXoGg+BokDJsAWzuEKdcHHSK6ebkyS2bhub cKKGBS42zB/TD7NoYb5MvUvIi9zDq8RjWNsCZkXi+Cl/OomCtHYH8MrV+kZnWFgCBZ1n e71JCmiXbu6H2br0aYcsa9oS8q0BB0qvvMGcOqjDxG/kkQP/+UcO6aNFlbyIx33lLDVR HEvA== MIME-Version: 1.0 Received: by 10.50.56.139 with SMTP id a11mr6575216igq.3.1350827046608; Sun, 21 Oct 2012 06:44:06 -0700 (PDT) Received: by 10.64.12.45 with HTTP; Sun, 21 Oct 2012 06:44:06 -0700 (PDT) In-Reply-To: References: Date: Sun, 21 Oct 2012 14:44:06 +0100 Message-ID: To: Charlie Somerville Cc: internals@lists.php.net Content-Type: multipart/alternative; boundary=f46d0401f4494420bb04cc91ee8a Subject: Re: [PHP-DEV] HTML escaped short echo tag From: dragoonis@gmail.com (Paul Dragoonis) --f46d0401f4494420bb04cc91ee8a Content-Type: text/plain; charset=ISO-8859-1 On Sun, Oct 21, 2012 at 2:35 PM, Charlie Somerville < charlie@charliesomerville.com> wrote: > Hi internals, > > I'd like to propose a new short tag that echos with HTML escaping. > > XSS is still a significant problem for PHP apps, but it is less common in > apps written with frameworks that provide automatic HTML escaping. However, > many developers are still writing straight PHP without any framework and a > feature like this in PHP itself could prove to be incredibly handy. > > One approach I sometimes use is defining a global function called h() which > passes its argument through htmlspecialchars(). This works well, but it > still adds a little bit of unwanted mental and typing overhead. > > Since escaping is desired the vast majority of the time , I'd like to see a > short tag for outputting with escaping. This tag could become the de facto > standard for echoing data, with alternative. > > The new tag should be just as short and easy to type as a fan of > Looking forward to hearing some feedback on this idea. > How do you propose we customise the escaping of such things, using htmlentities() or htmlspecialchars? What about the ENT_QUOTES options, or the charset to be used (UTF-8)? If you standardise such functionality then you'll need to have a callback executed. I'm personally not a fan of your new syntax because it ass more variations to the way PHP is invoked and outputting information, but perhaps a generic escape() function is in order. Maybe you're onto something, but I feel the new php-invoking syntax isn't the way to go about it. - Paul. > > Cheers, > > Charlie. > --f46d0401f4494420bb04cc91ee8a--