Hi internals,
I'd like to propose a new short tag that echos with HTML escaping.
XSS is still a significant problem for PHP apps, but it is less common in
apps written with frameworks that provide automatic HTML escaping. However,
many developers are still writing straight PHP without any framework and a
feature like this in PHP itself could prove to be incredibly handy.
One approach I sometimes use is defining a global function called h() which
passes its argument through htmlspecialchars(). This works well, but it
still adds a little bit of unwanted mental and typing overhead.
Since escaping is desired the vast majority of the time , I'd like to see a
short tag for outputting with escaping. This tag could become the de facto
standard for echoing data, with <?= being seen as the more dangerous
alternative.
The new tag should be just as short and easy to type as <?=. Personally I'm
a fan of <?- or perhaps <?~.
Looking forward to hearing some feedback on this idea.
Cheers,
Charlie.
On Sun, Oct 21, 2012 at 2:35 PM, Charlie Somerville <
charlie@charliesomerville.com> wrote:
Hi internals,
I'd like to propose a new short tag that echos with HTML escaping.
XSS is still a significant problem for PHP apps, but it is less common in
apps written with frameworks that provide automatic HTML escaping. However,
many developers are still writing straight PHP without any framework and a
feature like this in PHP itself could prove to be incredibly handy.One approach I sometimes use is defining a global function called h() which
passes its argument throughhtmlspecialchars(). This works well, but it
still adds a little bit of unwanted mental and typing overhead.Since escaping is desired the vast majority of the time , I'd like to see a
short tag for outputting with escaping. This tag could become the de facto
standard for echoing data, with <?= being seen as the more dangerous
alternative.The new tag should be just as short and easy to type as <?=. Personally I'm
a fan of <?- or perhaps <?~.Looking forward to hearing some feedback on this idea.
How do you propose we customise the escaping of such things, using
htmlentities() or htmlspecialchars? What about the ENT_QUOTES options, or
the charset to be used (UTF-8)?
If you standardise such functionality then you'll need to have a callback
executed.
I'm personally not a fan of your new syntax because it ass more variations
to the way PHP is invoked and outputting information, but perhaps a generic
escape() function is in order. Maybe you're onto something, but I feel the
new php-invoking syntax isn't the way to go about it.
- Paul.
Cheers,
Charlie.
How do you propose we customise the escaping of such things, using
htmlentities()or htmlspecialchars? What about theENT_QUOTESoptions, or the charset to be used (UTF-8)?
htmlspecialchars() with ENT_QUOTES and UTF-8 should be sufficient.
I'm personally not a fan of your new syntax because it ass more variations to the way PHP is invoked and outputting information, but perhaps a generic escape() function is in order. Maybe you're onto something, but I feel the new php-invoking syntax isn't the way to go about it.
To clarify - I'm not proposing any new functionality. I'm specifically proposing new syntax for existing functionality. I don't really see what benefits a generic escape() function would bring.
The idea of this proposal is that it makes escaping just as easy as not escaping. At the moment many developers have a mindset of deciding whether or not they should escape something. I'd like to see that change to a mindset of specifically deciding not to escape a certain bit of output - and having an automatic escaping syntax will help that.
Hi internals,
I'd like to propose a new short tag that echos with HTML escaping.
XSS is still a significant problem for PHP apps, but it is less common in
apps written with frameworks that provide automatic HTML escaping. However,
many developers are still writing straight PHP without any framework and a
feature like this in PHP itself could prove to be incredibly handy.One approach I sometimes use is defining a global function called h() which
passes its argument throughhtmlspecialchars(). This works well, but it
still adds a little bit of unwanted mental and typing overhead.Since escaping is desired the vast majority of the time , I'd like to see a
short tag for outputting with escaping. This tag could become the de facto
standard for echoing data, with <?= being seen as the more dangerous
alternative.The new tag should be just as short and easy to type as <?=. Personally I'm
a fan of <?- or perhaps <?~.Looking forward to hearing some feedback on this idea.
How do you propose we customise the escaping of such things, using
htmlentities()or htmlspecialchars? What about theENT_QUOTESoptions, or the charset to be used (UTF-8)?If you standardise such functionality then you'll need to have a callback executed.
I'm personally not a fan of your new syntax because it ass more variations to the way PHP is invoked and outputting information, but perhaps a generic escape() function is in order. Maybe you're onto something, but I feel the new php-invoking syntax isn't the way to go about it.
- Paul.
Cheers,
Charlie.
Hi!
I'd like to propose a new short tag that echos with HTML escaping.
What is "HTML escaping"? Different contexts need different escaping. For
outside tags it's one escaping, for tag attribute it's another, for JS
code context - yet another. Selecting just one use case and integrating
it into the language is a bad idea - since you are basically saying
everybody should use this specific case in any case, which is wrong.
The new tag should be just as short and easy to type as <?=. Personally I'm
a fan of <?- or perhaps <?~.
Personally I'm hugely not a fan of more obscure syntax in PHP.
Especially one that will quickly lead people into writing insecure code
because of applying wrong escaping function for the context.
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227
Personally I'm hugely not a fan of more obscure syntax in PHP.
I agree with this sentiment. I think the traditional simplicity of PHP's
syntax has been one of its greatest traits. I'm not a fan of all of this
type of alternate syntax that has been steadily added.
Bryan
Hi!
I'd like to propose a new short tag that echos with HTML escaping.
What is "HTML escaping"? Different contexts need different escaping. For
outside tags it's one escaping, for tag attribute it's another, for JS
code context - yet another. Selecting just one use case and integrating
it into the language is a bad idea - since you are basically saying
everybody should use this specific case in any case, which is wrong.The new tag should be just as short and easy to type as <?=. Personally I'm
a fan of <?- or perhaps <?~.Personally I'm hugely not a fan of more obscure syntax in PHP.
Especially one that will quickly lead people into writing insecure code
because of applying wrong escaping function for the context.
I completely agree.
Adding a new syntax for automatic escaping (even if configurable --
yay more php.ini!) is not going to change anyone's mindset from
defensive to offensive stance in my opinion.
If you have a template which generates javascript, css, and x/html all
from the same PHP file you get a lot of confusing having to deal with
some new syntax where users now have to be considerate of what output
syntax decides on what escape method.
For this most user-space implementations (frameworks like you
mentioned) do a fine job of identifying these common use cases and
providing a common solution. There's the taint approach which could
allow a framework to automatically figure out which variables are
tainted and should be escaped and which aren't and can pass through
cleanly.
PHP doesn't need to get in the way here. I think the existing userland
implementations should do fine if they get it right.
--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227