> How do you propose we customise the escaping of such things, using > htmlentities() or htmlspecialchars? What about the ENT_QUOTES options, or the > charset to be used (UTF-8)? > > >
htmlspecialchars() with ENT_QUOTES and UTF-8 should be sufficient. > I'm personally not a fan of your new syntax because it ass more variations > to the way PHP is invoked and outputting information, but perhaps a generic > escape() function is in order. Maybe you're onto something, but I feel the > new php-invoking syntax isn't the way to go about it. > > > To clarify - I'm not proposing any new functionality. I'm specifically proposing new syntax for existing functionality. I don't really see what benefits a generic escape() function would bring. The idea of this proposal is that it makes escaping just as easy as not escaping. At the moment many developers have a mindset of deciding whether or not they should escape something. I'd like to see that change to a mindset of specifically deciding not to escape a certain bit of output - and having an automatic escaping syntax will help that. On Monday, 22 October 2012 at 12:44 AM, Paul Dragoonis wrote: > > > On Sun, Oct 21, 2012 at 2:35 PM, Charlie Somerville > <[email protected] (mailto:[email protected])> wrote: > > Hi internals, > > > > I'd like to propose a new short tag that echos with HTML escaping. > > > > XSS is still a significant problem for PHP apps, but it is less common in > > apps written with frameworks that provide automatic HTML escaping. However, > > many developers are still writing straight PHP without any framework and a > > feature like this in PHP itself could prove to be incredibly handy. > > > > One approach I sometimes use is defining a global function called h() which > > passes its argument through htmlspecialchars(). This works well, but it > > still adds a little bit of unwanted mental and typing overhead. > > > > Since escaping is desired the vast majority of the time , I'd like to see a > > short tag for outputting with escaping. This tag could become the de facto > > standard for echoing data, with <?= being seen as the more dangerous > > alternative. > > > > The new tag should be just as short and easy to type as <?=. Personally I'm > > a fan of <?- or perhaps <?~. > > > > Looking forward to hearing some feedback on this idea. > > How do you propose we customise the escaping of such things, using > htmlentities() or htmlspecialchars? What about the ENT_QUOTES options, or the > charset to be used (UTF-8)? > > If you standardise such functionality then you'll need to have a callback > executed. > > I'm personally not a fan of your new syntax because it ass more variations > to the way PHP is invoked and outputting information, but perhaps a generic > escape() function is in order. Maybe you're onto something, but I feel the > new php-invoking syntax isn't the way to go about it. > > - Paul. > > > > > Cheers, > > > > Charlie. >
