Walter, yes I read, did you read? Niklas wrote:
The escaping should also be aware of the content encoding.
I wrote: no we have a php.ini setting
The context problem is already answered in the mail from Stas.
Regards
Thomas
Walter Parker wrote on 18.06.2016 00:20:
Thomas, are you actually reading and understanding what the others are
saying?You seem to be answering questions that have not been asked or giving the
simple, easy and wrong answer.Walter
using the default encoding from php.ini's default_charset should be no
problem,htmlspecialchars()already does it if the encoding parameter is
not provided.Regards
ThomasNiklas Keller wrote on 17.06.2016 22:31:
Hi,
the issue is that things have to be escaped dependent on the context. If
you are in a HTML context you need different escaping than you need in a
CSS or JS block. The escaping should also be aware of the content
encoding.
All that makes it difficult for PHP to directly support such an operator.You can always alias "e" or something like that to be your default escape
function.Regards, Niklas
Михаил Востриков michael.vostrikov@gmail.com schrieb am
Fr.,
- Juni
2016, 21:29:Hello. I was thinking about a presence of escaped output operator in PHP
and found this feature request: https://bugs.php.net/bug.php?id=62574.
I
think this is quite necessary feature. There are a lot of projects
which is
written without templating engine, and there are frameworks without
built-in templating engine by default. All this projects require to
write
the code. Usually it is rather simple to switch to new version of
language,
but it is almost impossible to switch many and many templates on a
templating engine.Most of output code is an output of properties of database entities, and
only in some cases it's needed to concatenate HTML into string and then
print it with unescaped output. Escaped output operator can be useful.
Also
we output data not into the void and not into simple text file, but into
HTML-document which has a certain format (markup). Also this is logical
to have both forms, escaped and unescaped.
I want to suggest the operator "<?~ $str ?>", which will automatically
wrap
output inhtmlspecialchars(). It is mentioned in the feature request
above.
It is quite easy to type, and there is a small possibility to write "<?=
?>" instead.In PHP 7 there are new operators and other changes. I think, new echo
operator also can be added. I can implement it myself.--
--
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
I wrote: no we have a php.ini setting
While I can't speak for everyone, my belief is that any proposal that
depends on adding new php.ini settings (that people will need to set
per appliation,) is going to be overwhelmingly rejected.
We've mostly learnt that fiddling with ini settings for anything other
than a system wide setting is just a horrendous experience for
end-users.
cheers
Dan