Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:64979
Return-Path: <davidkmuir@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6144 invoked from network); 15 Jan 2013 22:24:47 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Jan 2013 22:24:47 -0000
Authentication-Results: pb1.pair.com header.from=davidkmuir@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=davidkmuir@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.210.49 as permitted sender)
X-PHP-List-Original-Sender: davidkmuir@gmail.com
X-Host-Fingerprint: 209.85.210.49 mail-da0-f49.google.com  
Received: from [209.85.210.49] ([209.85.210.49:41720] helo=mail-da0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 75/A1-33004-E27D5F05 for <internals@lists.php.net>; Tue, 15 Jan 2013 17:24:47 -0500
Received: by mail-da0-f49.google.com with SMTP id v40so243554dad.22
        for <internals@lists.php.net>; Tue, 15 Jan 2013 14:24:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:message-id:date:from:user-agent:mime-version:to:cc
         :subject:references:in-reply-to:content-type
         :content-transfer-encoding;
        bh=n3Ca4+dSUzYnp8MUsLxzdDfkoZcMLOdnbXFYW/arlpI=;
        b=Q0sYGy7H4hAOWEDnHu+wAacKRiYJ3IvKsv+hu4WOq0tLLh2pUzwRHwqc5Gvwg4LDs8
         4aWcx8E5XtpdbCu6ZbKudFJ/HzfQMBzb4E6OjtGhFmY8yfZB0ozEYbCk9+OJWSNTZz9T
         mfSm5PQVuNpv2cNg8iOzuGFg6+aOzHm4qdGe/Qxl7usKcImXULnY/ag+1PLYgw0jv9nx
         rUViNxaC9YoY5goDpcBitvtsiWiqt0TctFHJQZ6kzhW3DmRkUB4i5aYlww5F94msyQtL
         E14EhLjNkGdNws5vtTHtyjt1xKsLYnDyv5zwPJipo8lpr1xF+CtpPKtDlSq1NeJR9WbD
         GbbQ==
X-Received: by 10.66.72.198 with SMTP id f6mr244898092pav.42.1358288684208;
        Tue, 15 Jan 2013 14:24:44 -0800 (PST)
Received: from [192.168.1.181] (tmwpho1.lnk.telstra.net. [110.142.207.74])
        by mx.google.com with ESMTPS id ot3sm10931310pbb.38.2013.01.15.14.24.41
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Tue, 15 Jan 2013 14:24:42 -0800 (PST)
Message-ID: <50F5D726.4040908@gmail.com>
Date: Wed, 16 Jan 2013 09:24:38 +1100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: Thomas Bley <thbley+php@gmail.com>
CC: internals@lists.php.net
References: <CA+_UWzpyvYjThkyKCJZxgKMRKw5RX91EHYBLZ6-P3Yq6ze0ynA@mail.gmail.com>
In-Reply-To: <CA+_UWzpyvYjThkyKCJZxgKMRKw5RX91EHYBLZ6-P3Yq6ze0ynA@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] New operator for htmlspecialchars
From: davidkmuir@gmail.com (David Muir)

On 16/01/13 08:22, Thomas Bley wrote:
> Hello,
>
> I created a small ticket to propose a shorter syntax for htmlspecialchars:
>
> old:
> <?= htmlspecialchars($str, ENT_QUOTES) ?>
>
> new:
> <?+ $str ?>
> or:
> <?~ $str ?>
>
> any comments, pros and cons?
>
> https://bugs.php.net/bug.php?id=62574
>
> Best regards,
> Thomas
>

The problem here is that htmlspecialchars only covers html body, and not 
html attributes, or other contexts (eg js, css, urls).

You're better off using something like Zend\Escaper, or Symfony's escaper.

The escaper RFC also gives a good amount of detail:
https://wiki.php.net/rfc/escaper

As for the shorter syntax with automatic output, I think it makes the 
code harder to read.

Cheers,
David