To that end, the attached patch allows the caller to be paranoid about
their data and stipulate that <>&' should be encoded to hex references
instead. This doesn't stop a web developer from dropping that content
into an innerHTML of course, but it's one more rope holding the ship
together.
Can you explain when it's going to help? I.e. if the concern is that
somebody would stick it in the DOM as-is and have something like XSS
with these data, then encoding it as \u is not enough, as far as I
understand. If it's not the concern, then I'm not sure what are the use
case - when such encoding is necessary?
You're absolutely correct that this won't save us from brain-dead
engineers, what it will save us from is broken browsers which
misinterpret otherwise legitimate data and get broken out of their
proper context. (Yes, I've seen browsers do exactly this, and you can
probably guess which versions)
-Sara
Short version, broken browsers have made me bitter and untrusting.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php