Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63586 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 63425 invoked from network); 21 Oct 2012 14:13:06 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Oct 2012 14:13:06 -0000 Authentication-Results: pb1.pair.com smtp.mail=charlie@charliesomerville.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=charlie@charliesomerville.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain charliesomerville.com designates 209.85.210.42 as permitted sender) X-PHP-List-Original-Sender: charlie@charliesomerville.com X-Host-Fingerprint: 209.85.210.42 mail-da0-f42.google.com Received: from [209.85.210.42] ([209.85.210.42:43743] helo=mail-da0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 40/B2-22055-0F204805 for ; Sun, 21 Oct 2012 10:13:06 -0400 Received: by mail-da0-f42.google.com with SMTP id z17so953739dal.29 for ; Sun, 21 Oct 2012 07:13:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:message-id:in-reply-to:references:subject:x-mailer :mime-version:content-type:x-gm-message-state; bh=QN3GGdmZoM97NZc5NKobrQulakHd9H9s6+aSdk58Gr8=; b=OjyxvSjwj4TPL35C+0epmmSzA6OW21cUWsZiF7UBlqrEkOFo+dEr0vrXQs5A5Mtv4c xWZLE92n5O2Qxj2ld4JXFXc9xdWsD6ANu4z4W0ZHWGd/RhehLUdDl+eMbnr5D27Nne/X X32tRdstqVtbwr3SLG8Ww8K8PGo3iJwEwclU5qlJZurvG4Zc3Fc2N5/cDLdysE65h/0t XsgXzaYUeMD7bloOYGMk+yoRqM9bFQLC0uPRC4QkOfzemAo8KptWTZv56AHa+HtsdQkn hbRoWGjsCBf3Cluyam1kR23PdUB0wpsUEdOLID3fR28grzLzUzQF6T2s0xZ0bqEoCERJ kDTw== Received: by 10.68.203.137 with SMTP id kq9mr22134239pbc.96.1350828782129; Sun, 21 Oct 2012 07:13:02 -0700 (PDT) Received: from charlies-macbook-pro.fritz.box (124-148-162-21.dyn.iinet.net.au. [124.148.162.21]) by mx.google.com with ESMTPS id ru4sm4376787pbc.25.2012.10.21.07.12.59 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 21 Oct 2012 07:13:01 -0700 (PDT) Date: Mon, 22 Oct 2012 01:13:15 +1100 To: Paul Dragoonis Cc: internals@lists.php.net Message-ID: <84EDE3A151764E3D85A1B2C59E492E5E@charliesomerville.com> In-Reply-To: References: X-Mailer: sparrow 1.5 (build 1043.1) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="508402fb_7c3dbd3d_ed2" X-Gm-Message-State: ALoCoQkjhnZI4nhUEsQ1kgAvL8ofE2ruD/LSspjjaevaY6rqdU57zEa7f4iSZRoPZ4MiawOY572F Subject: Re: [PHP-DEV] HTML escaped short echo tag From: charlie@charliesomerville.com (Charlie Somerville) --508402fb_7c3dbd3d_ed2 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline > How do you propose we customise the escaping of such things, using htmlentities() or htmlspecialchars? What about the ENT_QUOTES options, or the charset to be used (UTF-8)? > > > htmlspecialchars() with ENT_QUOTES and UTF-8 should be sufficient. > I'm personally not a fan of your new syntax because it ass more variations to the way PHP is invoked and outputting information, but perhaps a generic escape() function is in order. Maybe you're onto something, but I feel the new php-invoking syntax isn't the way to go about it. > > > To clarify - I'm not proposing any new functionality. I'm specifically proposing new syntax for existing functionality. I don't really see what benefits a generic escape() function would bring. The idea of this proposal is that it makes escaping just as easy as not escaping. At the moment many developers have a mindset of deciding whether or not they should escape something. I'd like to see that change to a mindset of specifically deciding not to escape a certain bit of output - and having an automatic escaping syntax will help that. On Monday, 22 October 2012 at 12:44 AM, Paul Dragoonis wrote: > > > On Sun, Oct 21, 2012 at 2:35 PM, Charlie Somerville wrote: > > Hi internals, > > > > I'd like to propose a new short tag that echos with HTML escaping. > > > > XSS is still a significant problem for PHP apps, but it is less common in > > apps written with frameworks that provide automatic HTML escaping. However, > > many developers are still writing straight PHP without any framework and a > > feature like this in PHP itself could prove to be incredibly handy. > > > > One approach I sometimes use is defining a global function called h() which > > passes its argument through htmlspecialchars(). This works well, but it > > still adds a little bit of unwanted mental and typing overhead. > > > > Since escaping is desired the vast majority of the time , I'd like to see a > > short tag for outputting with escaping. This tag could become the de facto > > standard for echoing data, with > alternative. > > > > The new tag should be just as short and easy to type as > a fan of > > > Looking forward to hearing some feedback on this idea. > > How do you propose we customise the escaping of such things, using htmlentities() or htmlspecialchars? What about the ENT_QUOTES options, or the charset to be used (UTF-8)? > > If you standardise such functionality then you'll need to have a callback executed. > > I'm personally not a fan of your new syntax because it ass more variations to the way PHP is invoked and outputting information, but perhaps a generic escape() function is in order. Maybe you're onto something, but I feel the new php-invoking syntax isn't the way to go about it. > > - Paul. > > > > > Cheers, > > > > Charlie. > --508402fb_7c3dbd3d_ed2--