On Sun, Oct 21, 2012 at 1:01 PM, Stas Malyshev <smalys...@sugarcrm.com> wrote: > Hi! > >> I'd like to propose a new short tag that echos with HTML escaping. > > What is "HTML escaping"? Different contexts need different escaping. For > outside tags it's one escaping, for tag attribute it's another, for JS > code context - yet another. Selecting just one use case and integrating > it into the language is a bad idea - since you are basically saying > everybody should use this specific case in any case, which is wrong. > >> The new tag should be just as short and easy to type as <?=. Personally I'm >> a fan of <?- or perhaps <?~. > > Personally I'm hugely *not* a fan of more obscure syntax in PHP. > Especially one that will quickly lead people into writing insecure code > because of applying wrong escaping function for the context.
I completely agree. Adding a new syntax for automatic escaping (even if configurable -- yay more php.ini!) is not going to change anyone's mindset from defensive to offensive stance in my opinion. If you have a template which generates javascript, css, and x/html all from the same PHP file you get a lot of confusing having to deal with some new syntax where users now have to be considerate of what output syntax decides on what escape method. For this most user-space implementations (frameworks like you mentioned) do a fine job of identifying these common use cases and providing a common solution. There's the taint approach which could allow a framework to automatically figure out which variables are tainted and should be escaped and which aren't and can pass through cleanly. PHP doesn't need to get in the way here. I think the existing userland implementations should do fine if they get it right. > -- > Stanislav Malyshev, Software Architect > SugarCRM: http://www.sugarcrm.com/ > (408)454-6900 ext. 227 > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php