Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:80357
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 48544 invoked from network); 11 Jan 2015 07:05:54 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Jan 2015 07:05:54 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.45 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.216.45 mail-qa0-f45.google.com  
Received: from [209.85.216.45] ([209.85.216.45:45754] helo=mail-qa0-f45.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 21/5F-48183-0D022B45 for <internals@lists.php.net>; Sun, 11 Jan 2015 02:05:53 -0500
Received: by mail-qa0-f45.google.com with SMTP id f12so12051757qad.4
        for <internals@lists.php.net>; Sat, 10 Jan 2015 23:05:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=1wJq9txqc/+jMnpAoTY3n6vN1Y85ThZFmLkjchG4GCI=;
        b=xpJ7nM8vd4vJF9tWjhpqynp/agbFhp9XwyecW+nu6B0X7ssY7jyOJ4zuEaQuzNNdlx
         rYe+MAXX39VnVRuDCmomCaiy5cGWV3fXLruf3dd5idwUDoxZz2mgN0s0sqGPOPbxa93A
         VhvfEQYDinabOiKZT86mrgX1e67BVSU1rNYQilrlmoF8YbYd9mqIQYIWv6xfru4dvKNn
         65XxlV0aUZ0PDyfHB73dTRmZLo0lpVwDVLHyRVHu9jWx9n2HS434UMtz47NDBAbP3S2i
         2PQUAmXVfpbKcw89UBbieUL7B1DDgkG9n1mNP20FSVGOx+awPZWMoL6OxaliTwAd5JZr
         sLXQ==
X-Received: by 10.224.162.203 with SMTP id w11mr28989007qax.21.1420959950303;
 Sat, 10 Jan 2015 23:05:50 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.93.70 with HTTP; Sat, 10 Jan 2015 23:05:10 -0800 (PST)
In-Reply-To: <CAEZPtU4TKrHhJNnFqB3k+wGk_yKgb_2c9H1eVHYmvBXQ7nbCXw@mail.gmail.com>
References: <14F63BD9-73FD-49A3-9EA2-48FE35DB915C@ajf.me> <CAGa2bXaPh3LEmpdpT7PGs-xwXRU2PPwwy-q_TS8V5h32RbxcvQ@mail.gmail.com>
 <003e01d02d68$94fa8880$beef9980$@tekwire.net> <CAEZPtU4TKrHhJNnFqB3k+wGk_yKgb_2c9H1eVHYmvBXQ7nbCXw@mail.gmail.com>
Date: Sun, 11 Jan 2015 16:05:10 +0900
X-Google-Sender-Auth: wxXGLQvy99TOmp6EJVVYop_V14U
Message-ID: <CAGa2bXbk_5u2A84aYQHZeKECEsh1AV4ERonB4pAaCrBM92Gvpg@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: =?UTF-8?Q?Fran=C3=A7ois_Laupretre?= <francois@tekwire.net>, 
	PHP internals <internals@lists.php.net>, Andrea Faulds <ajf@ajf.me>
Content-Type: multipart/alternative; boundary=089e0129557413f745050c5b056e
Subject: Re: [PHP-DEV] [RESULT] [RFC] PHP 5.7
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e0129557413f745050c5b056e
Content-Type: text/plain; charset=UTF-8

Hi all,

On Sun, Jan 11, 2015 at 3:36 PM, Pierre Joye <pierre.php@gmail.com> wrote:

> > Well, the feature list for PHP7 is not closed yet. I hope new attractive
> features will be added soon because, otherwise, it will be very hard to
> sell. And we need attractive features in the first release, not 7.1 or 7.2,
> which will never have the same exposure.
>
> I cannot say it in a better way. Full ack.
>
I agree this, too.
As internet became a hunting place for professional crackers (criminals), I
really
would like to make PHP secure by default. It's getting better, but it is
not enough.
One example is htmlspecialchars(). HTML 5 allows attributes quoted by " '
and w/o
quotes. It does not produce safe string by default. Another example is
"embed script
by default/always". It's a needless risk (i.e. Local/Remote Script
Inclusion), IMHO.
Yet another example is lack of JavaScript string escape function. I also
would like
to see OpenSSL/LibreSSL extension enabled by default.

Security improvement may attract many users hopefully.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--089e0129557413f745050c5b056e--