On 9/18/12 7:30 AM, Pádraic Brady wrote:
That's all. The RFC should be self-explanatory and feel free to pepper
...
https://wiki.php.net/rfc/escaper
I like where this is going and agree that PHP officially embracing an API would be helpful
even for users stuck on old PHP versions.
First issue: I've not studied the referenced PHP implementations, but in cases where
multiple contexts seem to apply it's not clear from the RFC which function(s) should be
used, and if multiple, how their calls would be composed. Examples:
HTML style attribute: escapeHtmlAttr, escapeCss, or both?
HTML on* attributes: escapeHtmlAttr, escapeJs, or both?
HTML href/src attributes: escapeHtmlAttrs, escapeUrl, or both?
HTML script/style elements: Is escapeHtml needed?
I can probably correctly guess some of these, but I think ideally the method and class
names should make this more obvious. If escapeJs is only for string literals in JS code
(again, the name doesn't make that clear to me), what does escapeCss actually do, since
string literals aren't very common in CSS?
Example code would be helpful to clarify both issues, but I still think naming is very
important here, and with all the contexts we have to consider the names in the RFC don't
scream what to use them for.
Steve
--
http://www.mrclay.org/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
