Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:86816
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 78534 invoked from network); 23 Jun 2015 21:38:41 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Jun 2015 21:38:41 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.49 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.213.49 mail-yh0-f49.google.com  
Received: from [209.85.213.49] ([209.85.213.49:33684] helo=mail-yh0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 75/31-04861-FD1D9855 for <internals@lists.php.net>; Tue, 23 Jun 2015 17:38:39 -0400
Received: by yhpn97 with SMTP id n97so9366712yhp.0
        for <internals@lists.php.net>; Tue, 23 Jun 2015 14:38:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=nM+nOAqyuN++t905sIGqiTi9koWZEj7fsd2m6MBrikQ=;
        b=u0qZr/rP0ym8xD0nrDBr45acrFYMc07jB+Wl24kQOGwG0b+1wjKZkbE2003AfXreNh
         LPy9Y2I1Z2qYVG8jUDLOl8HwXb4RR2la7y8gBypNBO+q7PS8CO1Og8BfQ0dw0e2M3MAZ
         noSv9jtcNCMa1u+ps6+izfkMBXvRV5tjFy1IuzTi5KRTw0ZRVG6nvgm4JiLY4pm70PqM
         uzkLtbUbFhB0MBs0WozlyxVFSRt+7N0v0mVtmq+h1H/HSQOPx/gySlcNIvntqEoqgWRt
         aECotpTiOAKTxWPBTlhEsDP5KNcPUjzY40YoszQkg6GbNaGUUzhiRSTYs+jkFItVPnpK
         uWIQ==
X-Received: by 10.13.226.75 with SMTP id l72mr46583326ywe.89.1435095516157;
 Tue, 23 Jun 2015 14:38:36 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.129.48.129 with HTTP; Tue, 23 Jun 2015 14:37:56 -0700 (PDT)
In-Reply-To: <CABBJUpeaVXXJ-JJDP+oHUamuDGwM87Myvm4_0qXAh2cZn8rg3A@mail.gmail.com>
References: <CAGa2bXa9x_BK9O78N_yvAVj7M5V0UEGsy3ch-VOimaqGaKUA3w@mail.gmail.com>
 <CABBJUpeaVXXJ-JJDP+oHUamuDGwM87Myvm4_0qXAh2cZn8rg3A@mail.gmail.com>
Date: Wed, 24 Jun 2015 06:37:56 +0900
X-Google-Sender-Auth: JRC0Hlu8zqHvFuPxE1Ttd24VFrg
Message-ID: <CAGa2bXZR2+omdNy8WNGO-ROGFz1ub+ayPFm6iyeyXMv3hPeryg@mail.gmail.com>
To: Xinchen Hui <laruence@php.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a114fae22759d160519363679
Subject: Re: [PHP-DEV] Optimizing php_html_entities()
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a114fae22759d160519363679
Content-Type: text/plain; charset=UTF-8

Hi Xinchen,

On Tue, Jun 23, 2015 at 11:33 PM, Xinchen Hui <laruence@php.net> wrote:

> But passing an non-string to htmlspecialchars are not common used cases..
>
> "optimize" not common used cases... will bring nothing to us..
>

The reason why I brought up this now is scalar type hint.
Before PHP7, people didn't not care if data sent from browser is
actually a string. e.g. age, month, date, etc.

However, this optimization have more effects because of PHP7's type hint
that convert data type "always" and users must escape regardless of it's
type. Wrong date type assumption is common source of JavaScript injections.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a114fae22759d160519363679--