Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94092
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 93211 invoked from network); 17 Jun 2016 20:14:46 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Jun 2016 20:14:46 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.177 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.192.177 mail-pf0-f177.google.com  
Received: from [209.85.192.177] ([209.85.192.177:33610] helo=mail-pf0-f177.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 29/8C-18862-53A54675 for <internals@lists.php.net>; Fri, 17 Jun 2016 16:14:46 -0400
Received: by mail-pf0-f177.google.com with SMTP id i123so30007433pfg.0
        for <internals@lists.php.net>; Fri, 17 Jun 2016 13:14:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=y01nr+FOF3xXDrHSkzHqwP2sMHxgb0cYZt6yGalrDDE=;
        b=WPLgFvgIXO2Xh5N79+l0AH4ltKT49OzC9Vg0KEhs/Taxv/Xay7zILtLrfsDQUza/fe
         ffQUbgvZrHZlc3EH1mj8HyDy/6k7Pr+mx08X+BCNoWxQsQmrJJU7nY/mxSBpS/gPqSDB
         /3nZQjT6rGFRYnYV1NkrETAaxJBdpn4ilb+Rs5vWKJ52CxY/Wbuohhen9bg/VoM+IY5F
         xxqSPsjgxU7LKWeeEAGbzN18yN718C7koXZ8krCbh/b6ZrXfWwiODKPFQ9TN4W8Tqtrl
         tbbK2YCMsc5fWErbvA8pa9h6TdeGYuDB7qksFZwlCYSGKrsSsOk996VlUl3vyRfYMErL
         Pf8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=y01nr+FOF3xXDrHSkzHqwP2sMHxgb0cYZt6yGalrDDE=;
        b=hxxojmcn50Q8nUHdlSAyY6mt84b5yJuWDEOfKeXqJRG8Apa7n6CdWhTgu35t3hrMvx
         dxw32mG9Aaw9+Xe0TV2gRDxJjfJXfEaCurhjGr2YJF9NBAYn6m2DSgfRvdRYrBuNZ9q3
         qloxR3GEUih9tILnchbe10hOeddoQHwW50zi+P24OxNQOzzMN+F0+zSueCklSK7InKu5
         x9XxkwyxKiKn32Chk3kPCXS4EZBGeCLgf7prC78W+ILR8EdxlmEGNtYSfr/SsIyFjAwx
         uSluTQKrlqf86WznqkRIPchtdknYxBi/101nRiPm86qDtCRPq2KCGagKb2BlfVuT41tm
         NuXg==
X-Gm-Message-State: ALyK8tIitHa8BLlOfPTZuDdCuYuHKy6yNrDOKmJK4vOb+59U9B6TB7Uxvu4UKAPHNkpp6Q==
X-Received: by 10.98.35.133 with SMTP id q5mr4221011pfj.7.1466194482523;
        Fri, 17 Jun 2016 13:14:42 -0700 (PDT)
Received: from Stas-Air.local (76-220-46-95.lightspeed.sntcca.sbcglobal.net. [76.220.46.95])
        by smtp.gmail.com with ESMTPSA id b67sm19106741pfg.85.2016.06.17.13.14.41
        (version=TLSv1/SSLv3 cipher=OTHER);
        Fri, 17 Jun 2016 13:14:41 -0700 (PDT)
To: =?UTF-8?B?0JzQuNGF0LDQuNC7INCS0L7RgdGC0YDQuNC60L7Qsg==?=
 <michael.vostrikov@gmail.com>, internals@lists.php.net
References: <CAEDdnaX_KbaZB=3WzFAp73E0dCxx5zuoqMbPbakMUGpHyRPJFg@mail.gmail.com>
Message-ID: <b9318b90-f850-12a2-459d-8995220922df@gmail.com>
Date: Fri, 17 Jun 2016 13:14:40 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0)
 Gecko/20100101 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <CAEDdnaX_KbaZB=3WzFAp73E0dCxx5zuoqMbPbakMUGpHyRPJFg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] New escaped output operator
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> Most of output code is an output of properties of database entities, and
> only in some cases it's needed to concatenate HTML into string and then
> print it with unescaped output. Escaped output operator can be useful. Also
> we output data not into the void and not into simple text file, but into
> HTML-document which has a certain format (markup). Also this is logical -
> to have both forms, escaped and unescaped.

This has been discussed on the list a number of times. Main issue with
this kind of proposals is that escaping is context-dependent. E.g.
htmlspecialchars() would not help you in many scenarios - e.g. it won't
protect you from XSS if you ever place user-controlled data in HTML
attributes. Having operator for each of the possible contexts does not
really looks feasible, and having it for only one of them and not the
others would be misleading people into thinking this operator is generic
and can be used in all contexts safely.

-- 
Stas Malyshev
smalyshev@gmail.com