Hi!
On 12/24/25 13:14, Rob Landers wrote:
> Maybe, you should consider something like this:
>
> <?:html: or <?:h:
> <?:attr:
> <?:url:
> <?:js:
> <?:css:
That’s an interesting idea! However, it goes beyond the scope of this
RFC, which aims only to introduce a concise shorthand for the frequently
used <?= htmlspecialchars(...) ?> pattern.
A more comprehensive solution with context-specific escaping—for
example, for HTML, attributes, URLs, JavaScript, or CSS—would indeed be
better implemented at the templating engine level or as a dedicated module.
Moreover, as other participants in the discussion rightly pointed out,
relying solely on automatic escaping at the rendering layer may create a
false sense of security if developers don’t fully consider the output
context in which data is used. In fact, such syntax doesn’t inherently
improve security—it primarily increases coding convenience. True safety
still depends on an explicit and context-aware choice of encoding method.
Summary of the proposal:
Introduce a new short echo tag:
```
<?: $expr ?>
```
which compiles to:
```
<?php echo htmlspecialchars($expr); ?>
```
The encoding will be determined automatically via the current
`default_charset` setting, as `htmlspecialchars()` does by default.
The behavior flags can be configured via a new INI directive:
`short_echo_specialchars_flags`. By default, it matches the flag values
used by `htmlspecialchars()`.
Thank you to everyone who contributed to the discussion.
Best regards,
Sergei Issaev
