To that end, the attached patch allows the caller to be paranoid about their data and stipulate that <>&' should be encoded to hex references instead. This doesn't stop a web developer from dropping that content into an innerHTML of course, but it's one more rope holding the ship together.

Can you explain when it's going to help? I.e. if the concern is that somebody would stick it in the DOM as-is and have something like XSS with these data, then encoding it as \u is not enough, as far as I understand. If it's not the concern, then I'm not sure what are the use case - when such encoding is necessary?

You're absolutely correct that this won't save us from brain-dead engineers, what it will save us from is broken browsers which misinterpret otherwise legitimate data and get broken out of their proper context. (Yes, I've seen browsers do exactly this, and you can probably guess which versions)

-Sara

Short version, broken browsers have made me bitter and untrusting.

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to