Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94099
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: error (pb1.pair.com: domain thomasbley.de from 85.13.128.151 cause and error)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
User-Agent: ALL-INKL Webmail 2.11
To: walterp@gmail.com
Cc: michael.vostrikov@gmail.com, internals@lists.php.net, me@kelunik.com
Message-ID: <20160617222830.676F51A82559@dd1730.kasserver.com>
Date: Sat, 18 Jun 2016 00:28:30 +0200 (CEST)
Subject: Re: [PHP-DEV] New escaped output operator
From: mails@thomasbley.de ("Thomas Bley")

Walter, yes I read, did you read? Niklas wrote:

>  The escaping should also be aware of the content encoding.

I wrote: no we have a php.ini setting

The context problem is already answered in the mail from Stas.

Regards
Thomas

Walter Parker wrote on 18.06.2016 00:20:

> Thomas, are you actually reading and understanding what the others are
> saying?
> 
> You seem to be answering questions that have not been asked or giving the
> simple, easy and wrong answer.
> 
> 
> Walter
> 
> On Fri, Jun 17, 2016 at 1:37 PM, Thomas Bley <mails@thomasbley.de> wrote:
> 
>> using the default encoding from php.ini's default_charset should be no
>> problem, htmlspecialchars() already does it if the encoding parameter is
>> not provided.
>>
>> Regards
>> Thomas
>>
>> Niklas Keller wrote on 17.06.2016 22:31:
>>
>> > Hi,
>> >
>> > the issue is that things have to be escaped dependent on the context. If
>> > you are in a HTML context you need different escaping than you need in a
>> > CSS or JS block. The escaping should also be aware of the content
>> encoding.
>> > All that makes it difficult for PHP to directly support such an operator.
>> >
>> > You can always alias "e" or something like that to be your default escape
>> > function.
>> >
>> > Regards, Niklas
>> >
>> > Михаил Востриков <michael.vostrikov@gmail.com> schrieb am
>> Fr.,
>> > 17. Juni
>> > 2016, 21:29:
>> >
>> >> Hello. I was thinking about a presence of escaped output operator in PHP
>> >> and found this feature request: https://bugs.php.net/bug.php?id=62574.
>> I
>> >> think this is quite necessary feature. There are a lot of projects
>> which is
>> >> written without templating engine, and there are frameworks without
>> >> built-in templating engine by default. All this projects require to
>> write
>> >> the code. Usually it is rather simple to switch to new version of
>> language,
>> >> but it is almost impossible to switch many and many templates on a
>> >> templating engine.
>> >>
>> >> Most of output code is an output of properties of database entities, and
>> >> only in some cases it's needed to concatenate HTML into string and then
>> >> print it with unescaped output. Escaped output operator can be useful.
>> Also
>> >> we output data not into the void and not into simple text file, but into
>> >> HTML-document which has a certain format (markup). Also this is logical
>> -
>> >> to have both forms, escaped and unescaped.
>> >>
>> >> I want to suggest the operator "<?~ $str ?>", which will automatically
>> wrap
>> >> output in htmlspecialchars(). It is mentioned in the feature request
>> above.
>> >> It is quite easy to type, and there is a small possibility to write "<?=
>> >> ?>" instead.
>> >>
>> >> In PHP 7 there are new operators and other changes. I think, new echo
>> >> operator also can be added. I can implement it myself.
>> >>
>> >
>>
>>
>> --
>> PHP Internals - PHP Runtime Development Mailing List
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
> 
> 
> -- 
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
>