Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72145
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 72651 invoked from network); 3 Feb 2014 22:21:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 22:21:06 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.99 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 108.166.43.99 smtp99.ord1c.emailsrvr.com Linux 2.6
Received: from [108.166.43.99] ([108.166.43.99:57138] helo=smtp99.ord1c.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 83/5B-35654-15610F25 for <internals@lists.php.net>; Mon, 03 Feb 2014 17:21:05 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp5.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 6E0A91B0453;
	Mon,  3 Feb 2014 17:21:02 -0500 (EST)
X-Virus-Scanned: OK
Received: by smtp5.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 186081B042E;
	Mon,  3 Feb 2014 17:21:02 -0500 (EST)
Message-ID: <52F01654.6080903@sugarcrm.com>
Date: Mon, 03 Feb 2014 14:21:08 -0800
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Yasuo Ohgaki <yohgaki@ohgaki.net>, =?UTF-8?B?UMOhZHJhaWMgQnJhZHk=?=
 <padraic.brady@gmail.com>
CC: "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXbFk3+ScywpkeGcFUcmVvxLRHeWrdObvOshx6NjuB2YHw@mail.gmail.com> <52EDBB30.3070209@ajf.me> <CAGa2bXYMPM2+HinAANcDv2gvGNtfPHYFcKr=qrmXrsRPEbsiog@mail.gmail.com> <52EE1C2B.7030702@sugarcrm.com> <CAGa2bXYJAz8jMRmL4d9uHvspzg12km=ZosBtvqwywwc1wzmVuw@mail.gmail.com> <52EF50B6.1030404@sugarcrm.com> <CALwr1Gn95__kSkJfhseemSN=kugeymeW0-sT4yPC9_XBZp4VJg@mail.gmail.com> <CAGa2bXakngpviwqvbSKnMOtKMMtfwR5ZCfUx+4EDATv-2QqiwA@mail.gmail.com>
In-Reply-To: <CAGa2bXakngpviwqvbSKnMOtKMMtfwR5ZCfUx+4EDATv-2QqiwA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC] Improve HTML escape
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

> Use of this option is not recommended,  but there is the standard. We may 
> support it even if we don't recommend it.

Nowhere in any standard it says we must use htmlentities to support
every possible context. There are contexts where htmlentities is
completely unsuitable - such as unquoted attributes, Javascript, CSS,
etc. In these contexts, other ways of escaping output should be used.

I get an impression you're trying to fit a square peg into a round hole
here. There are other ways to escape things and they should match the
context the output is used in. Trying to serve every scenario with one
function would not work.
-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227