Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72767 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 35018 invoked from network); 23 Feb 2014 05:03:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Feb 2014 05:03:57 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.50 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.50 mail-la0-f50.google.com Received: from [209.85.215.50] ([209.85.215.50:48150] helo=mail-la0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A7/30-32204-B3189035 for ; Sun, 23 Feb 2014 00:03:56 -0500 Received: by mail-la0-f50.google.com with SMTP id y1so93915lam.9 for ; Sat, 22 Feb 2014 21:03:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=JEECqWnDuAjj2852unNMX6NRxG08NAqNPblnwSFk84E=; b=B72i3eTEIodkDG9pmSdZgnjTuB6VtH+yzstZJ69hWrdm1y6GpcA6fQCiZYskW+b/IF a6sBSnTaysV7x6lLHBcfowZGd4RAWF6piICumfWTiaNfKgu1BYDv8DUVd/ii1/AC8jHT 6v+hLGR0h3J1rEVzRhapqzWrtohsWhXc6+kBEIA0VVcsy/eAe0xycEu43R967EGfiqSa xkjH7JsXw+Dp4UeUmB68EDEKeOH0UybTH0fRcbUjw8/6f+H67Y+Y7xxjj4dSNJuMtbFf h6zGTQhESuVdMY0uWQ5ekDEBFtzknDTugG3n9jaUcM1F+DSzgqt/fzKPa6WwGbyk0P5Z bGrg== X-Received: by 10.112.164.35 with SMTP id yn3mr7960459lbb.45.1393131831978; Sat, 22 Feb 2014 21:03:51 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Sat, 22 Feb 2014 21:03:11 -0800 (PST) In-Reply-To: <5307446D.4050404@lsces.co.uk> References: <530668F8.9050005@gmail.com> <5307446D.4050404@lsces.co.uk> Date: Sun, 23 Feb 2014 14:03:11 +0900 X-Google-Sender-Auth: HeBAskHd887i3BEN6VWZLzHKEBk Message-ID: To: Lester Caine Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c33530f86fd404f30bc73e Subject: Re: [PHP-DEV] [VOTE] Improve HTML escape From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c33530f86fd404f30bc73e Content-Type: text/plain; charset=UTF-8 Hi Lester, On Fri, Feb 21, 2014 at 9:19 PM, Lester Caine wrote: > Yasuo Ohgaki wrote: > >> >I don't mind adding >>> > >>> > - ENT_SINGLE(escape only ') >>> > - ENT_DOUBLE(escape only ". Same as ENT_COMPAT, but better name) >>> > >>> >as HTML5 supports ", ' and no quotes for attributes. It seems good for >>> >completeness. This would be issue for new RFC, though. I may write new >>> RFC >>> >for this when this is over if many of think this is better to have. >>> > >>> >> Correction. >> To control escape fully, we need >> >> - ENT_SINGLE(escape only ' ) >> - ENT_DOUBLE(escape only ". Same as ENT_COMPAT, but better name) >> - ENT_AMP(escape only & ) >> - ENT_SEMI_COLON(escape only ; ) >> - ENT_SLASH(escape only / ) >> >> It seems too much... >> > > Yasuo > I think the problem here is that there is not a single 'good' answer here? > If there was a single combination that worked for everything then there > would not be a problem, but some legacy installations will be broken by > htmlspecialchars() and htmlspecialchars_decode() now returning different > results? Some changes were only introduced in 5.4.0 and need to be > assimilated to allow further changes to happen cleanly? Decoding should be a problem, but I'll be careful about it. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c33530f86fd404f30bc73e--