Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72734
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 97703 invoked from network); 21 Feb 2014 12:15:50 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Feb 2014 12:15:50 -0000
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.204 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.204 mail4.serversure.net Linux 2.6
Received: from [217.147.176.204] ([217.147.176.204:33324] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FB/D1-22355-57347035 for <internals@lists.php.net>; Fri, 21 Feb 2014 07:15:50 -0500
Received: (qmail 22587 invoked by uid 89); 21 Feb 2014 12:15:46 -0000
Received: by simscan 1.3.1 ppid: 22581, pid: 22584, t: 0.0641s
         scanners: attach: 1.3.1 clamav: 0.96/m:52
Received: from unknown (HELO linux-dev4.lsces.org.uk) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 21 Feb 2014 12:15:46 -0000
Message-ID: <5307446D.4050404@lsces.co.uk>
Date: Fri, 21 Feb 2014 12:19:57 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0 SeaMonkey/2.24
MIME-Version: 1.0
To: internals@lists.php.net
References: <CAGa2bXanQ0Of6oLe2+qebZunopdzhfj+T+1QTY_LSkOjedvwkg@mail.gmail.com> <530668F8.9050005@gmail.com> <CAGa2bXb195LTUSDdqQL2s92RmkLyi72jRG2M7NSQObUR+rAUGQ@mail.gmail.com> <CAGa2bXYT095h6cEinJHYW38-FjA+tkV2TvNarqtWfKvN+rygcw@mail.gmail.com>
In-Reply-To: <CAGa2bXYT095h6cEinJHYW38-FjA+tkV2TvNarqtWfKvN+rygcw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [VOTE] Improve HTML escape
From: lester@lsces.co.uk (Lester Caine)

Yasuo Ohgaki wrote:
>> >I don't mind adding
>> >
>> >  - ENT_SINGLE(escape only ')
>> >  - ENT_DOUBLE(escape only ". Same as ENT_COMPAT, but better name)
>> >
>> >as HTML5 supports ", ' and no quotes for attributes. It seems good for
>> >completeness. This would be issue for new RFC, though. I may write new RFC
>> >for this when this is over if many of think this is better to have.
>> >
> Correction.
> To control escape fully, we need
>
>   - ENT_SINGLE(escape only ' )
>   - ENT_DOUBLE(escape only ". Same as ENT_COMPAT, but better name)
>   - ENT_AMP(escape only & )
>   - ENT_SEMI_COLON(escape only ; )
>   - ENT_SLASH(escape only / )
>
> It seems too much...

Yasuo
I think the problem here is that there is not a single 'good' answer here? If 
there was a single combination that worked for everything then there would not 
be a problem, but some legacy installations will be broken by htmlspecialchars() 
and htmlspecialchars_decode() now returning different results? Some changes were 
only introduced in 5.4.0 and need to be assimilated to allow further changes to 
happen cleanly?

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk