Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:71997
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 80938 invoked from network); 2 Feb 2014 13:55:37 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Feb 2014 13:55:37 -0000
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.170 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.160.170 mail-yk0-f170.google.com  
Received: from [209.85.160.170] ([209.85.160.170:49800] helo=mail-yk0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C7/3B-30967-75E4EE25 for <internals@lists.php.net>; Sun, 02 Feb 2014 08:55:36 -0500
Received: by mail-yk0-f170.google.com with SMTP id 9so33337785ykp.1
        for <internals@lists.php.net>; Sun, 02 Feb 2014 05:55:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=TuNqUxPD5IB8sDt4XUT9T7j8YWAKrpg5IWajT1y/NFM=;
        b=aTWKpTMzMqyT+FMwpAHXZNU8LhN1b1zJSgGz9APi6TMvsmpfXjSCuwTHVpNgIxJDPK
         urdBLaVWB9CtJxxJFn5tjjKSeeS7+muq55ZeYPyhammsmPmP2myDj/+8KWZKSZgK5Cqz
         grNdO4lNxyTyVxq2iW8F0zXfbi3QagNAp3gP3XT/cvtq94OzCWUcSJpoqHVKC8g4OHr9
         o3XZ2cWgGMsPpBiLMB3LVehxtogEahlAJbPCVFaFQxW+/ViJQaExlZwcywPSnyGGZuB6
         zTddREBZRLWFqkmgUuVjHzWi/bQWvEuwfaUwyGW9BOEFoeK3zuH2PbV0mkt44Y6kjCNT
         4CTw==
MIME-Version: 1.0
X-Received: by 10.236.28.162 with SMTP id g22mr1212849yha.52.1391349332815;
 Sun, 02 Feb 2014 05:55:32 -0800 (PST)
Received: by 10.170.215.130 with HTTP; Sun, 2 Feb 2014 05:55:32 -0800 (PST)
In-Reply-To: <946C4AF4-4656-4F7A-B1C6-7D1144FEFB3D@rouvenwessling.de>
References: <CAGa2bXbFk3+ScywpkeGcFUcmVvxLRHeWrdObvOshx6NjuB2YHw@mail.gmail.com>
	<52EDBB30.3070209@ajf.me>
	<CAGa2bXYMPM2+HinAANcDv2gvGNtfPHYFcKr=qrmXrsRPEbsiog@mail.gmail.com>
	<52EE1C2B.7030702@sugarcrm.com>
	<946C4AF4-4656-4F7A-B1C6-7D1144FEFB3D@rouvenwessling.de>
Date: Sun, 2 Feb 2014 13:55:32 +0000
Message-ID: <CALwr1Gkt2eY1dGN3jHuNKfBkyQ0KenfgZ6m5Mx3jJz69JBYMTA@mail.gmail.com>
To: =?UTF-8?Q?Rouven_We=C3=9Fling?= <me@rouvenwessling.de>
Cc: Stas Malyshev <smalyshev@sugarcrm.com>, Yasuo Ohgaki <yohgaki@ohgaki.net>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c1f782bdb33b04f16cc273
Subject: Re: [PHP-DEV] [RFC] Improve HTML escape
From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=)

--001a11c1f782bdb33b04f16cc273
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi all,

It's dated but: https://wiki.php.net/rfc/escaper I see Yasuo edited it a
wee bit in September on its 1 year anniversary to add ext/filter as an
option. I had hoped Anthony would get around to it but c'est la vie.

Without quotes you need to escape almost ALL non alphanumeric characters in
an attribute value just to make sure you cover every known and unknown
browser parsing oddity. It's just a bad practice full stop despite HTML5
allowing it.

ENT_QUOTES should be the default for obvious reasons. It escapes quotes.

htmlentities() doesn't anything more than htmlspecialchars() unless you
count turning "P=C3=A1draic =C3=93'Br=C3=A1daigh" into "P&aacute;draic
&Oacute;'Br&aacute;daigh" as a positive benefit to the Irish language and
the size of its webpages :P.

Paddy

--
P=C3=A1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative

--001a11c1f782bdb33b04f16cc273--