Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72262 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 95729 invoked from network); 5 Feb 2014 10:54:11 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Feb 2014 10:54:11 -0000 Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.41 as permitted sender) X-PHP-List-Original-Sender: padraic.brady@gmail.com X-Host-Fingerprint: 209.85.213.41 mail-yh0-f41.google.com Received: from [209.85.213.41] ([209.85.213.41:57904] helo=mail-yh0-f41.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 42/73-09402-25812F25 for ; Wed, 05 Feb 2014 05:54:10 -0500 Received: by mail-yh0-f41.google.com with SMTP id f73so152197yha.0 for ; Wed, 05 Feb 2014 02:54:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=wZJ13+wWz+vLKTPFSjhQtuLK6m06Fx2sG6Utv7dLWCc=; b=dTdRijqFom2NCs0jLQExFzJXHraLirU3F+l+UlAMWp5HiF7TXkjrKMqyBRZqRPdXHy NIvBgBESlL4pVis4gbxmkAUzdohogD2+Fo5Zr0Y3U/GpN2T3Avg1lW0we0kPjnGsf+f3 nMjkqFftZqj6ZYjYimNWBOYegKB5fIt/yE+/8xecwR4EkMjaGJ8Zm0NZakoSnhXRhO5l EM+R9SJ6jV7AbeeHQ8DZxZv04e8ZuCDjiDKUV+3EyLXoY4SsUQKNWakNPRVo5I/6SitF 9hxQx/Iwl753XND4GPKJ+NhFAm76BvDwer5J6I6NItIzODZZmOqKINm1WaWQJDo+COt4 AlXw== MIME-Version: 1.0 X-Received: by 10.236.27.49 with SMTP id d37mr151652yha.128.1391597647193; Wed, 05 Feb 2014 02:54:07 -0800 (PST) Received: by 10.170.215.130 with HTTP; Wed, 5 Feb 2014 02:54:07 -0800 (PST) In-Reply-To: References: <52F10DE9.3040504@ajf.me> Date: Wed, 5 Feb 2014 10:54:07 +0000 Message-ID: To: Yasuo Ohgaki Cc: Andrea Faulds , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [RFC] Improve HTML escape From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=) Hi Yasuo, On 5 February 2014 02:10, Yasuo Ohgaki wrote: > Is it ready to vote? > No more issues to discuss? > Anyone? I would remove all mention of htmlentities() other than briefly noting that it would also be changed as part of the RFC. The rationale is that the proper escaping function for HTML is htmlspecialchars() (so emphasise that function). htmlentities() escapes anything with a suitable HTML entity including non-special UTF-8 characters, i.e. it's overkill and it disproportionately increases output size in non-English languages such as Gaelic. The use of htmlentities() is just a senseless bad habit by English speaking programmers based on historic ties to non-Unicode output that needs to die already: http://stackoverflow.com/questions/12648655/html-encoding-of-japanese-text I would also split the vote into three sections: 1. Should we escape single quotes by default? 2. Should we escape forward slashes by default? 3. Should we deprecate ENT_COMPAT and ENT_QUOTES? The main risk I'd see is if people don't won't to escape forward slash and kill the entire RFC over that one change. You also don't mention single quotes anywhere in the RFC ;). You should note that with an example so voters know it will be encoded by default. Paddy -- P=C3=A1draic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team Zend Framework PHP-FIG Representative