Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72020
Return-Path: <me@rouvenwessling.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33233 invoked from network); 2 Feb 2014 22:55:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Feb 2014 22:55:26 -0000
Authentication-Results: pb1.pair.com smtp.mail=me@rouvenwessling.de; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=me@rouvenwessling.de; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain rouvenwessling.de designates 5.35.242.46 as permitted sender)
X-PHP-List-Original-Sender: me@rouvenwessling.de
X-Host-Fingerprint: 5.35.242.46 rouvenwessling.de Linux 2.6
Received: from [5.35.242.46] ([5.35.242.46:59808] helo=lvps5-35-242-46.dedicated.hosteurope.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 69/B4-30967-DDCCEE25 for <internals@lists.php.net>; Sun, 02 Feb 2014 17:55:25 -0500
Received: by lvps5-35-242-46.dedicated.hosteurope.de (Postfix, from userid 5001)
	id 226A469F03AA; Sun,  2 Feb 2014 23:55:22 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	lvps5-35-242-46.dedicated.hosteurope.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00
	autolearn=unavailable version=3.3.1
Received: from rouvens-air-7.localdomain (xdsl-89-0-231-187.netcologne.de [89.0.231.187])
	by lvps5-35-242-46.dedicated.hosteurope.de (Postfix) with ESMTPA id 6854969F007D;
	Sun,  2 Feb 2014 23:55:21 +0100 (CET)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\))
In-Reply-To: <CALwr1Gkt2eY1dGN3jHuNKfBkyQ0KenfgZ6m5Mx3jJz69JBYMTA@mail.gmail.com>
Date: Sun, 2 Feb 2014 23:55:21 +0100
Cc: Stas Malyshev <smalyshev@sugarcrm.com>,
 Yasuo Ohgaki <yohgaki@ohgaki.net>,
 "internals@lists.php.net" <internals@lists.php.net>
Content-Transfer-Encoding: quoted-printable
Message-ID: <74E221DC-668E-4DFB-B0E5-20F214E82262@rouvenwessling.de>
References: <CAGa2bXbFk3+ScywpkeGcFUcmVvxLRHeWrdObvOshx6NjuB2YHw@mail.gmail.com> <52EDBB30.3070209@ajf.me> <CAGa2bXYMPM2+HinAANcDv2gvGNtfPHYFcKr=qrmXrsRPEbsiog@mail.gmail.com> <52EE1C2B.7030702@sugarcrm.com> <946C4AF4-4656-4F7A-B1C6-7D1144FEFB3D@rouvenwessling.de> <CALwr1Gkt2eY1dGN3jHuNKfBkyQ0KenfgZ6m5Mx3jJz69JBYMTA@mail.gmail.com>
To: =?iso-8859-1?Q?P=E1draic_Brady?= <padraic.brady@gmail.com>
X-Mailer: Apple Mail (2.1822)
Subject: Re: [PHP-DEV] [RFC] Improve HTML escape
From: me@rouvenwessling.de (=?iso-8859-1?Q?Rouven_We=DFling?=)


On 02.02.2014, at 14:55, P=E1draic Brady <padraic.brady@gmail.com> =
wrote:

> Without quotes you need to escape almost ALL non alphanumeric =
characters in an attribute value just to make sure you cover every known =
and unknown browser parsing oddity. It's just a bad practice full stop =
despite HTML5 allowing it.
>=20
> ENT_QUOTES should be the default for obvious reasons. It escapes =
quotes.

Just to be clear, the current default (ENT_COMPAT) does escape double =
quotes. The change to ENT_QUOTES would escape single quotes as well.

Best regards
Rouven=