On 07/08/2019 20:45, Sergey Panteleev wrote:
Perhaps I missed and someone already suggested, but didn't consider a compromise option: just change the default value short_open_tag=false, and DON'T removes the option from php.ini?
Without the other changes, this would lead to potentially dangerous code and data leakage.
It's not really viable to simply change the default, or remove the option, without creating a significant security risk.
Upgrading from one version to the next, without explicitly specifying the configuration in the INI during the upgrade (if previously omitted), would treat code which was previously explicitly specified as valid, as no longer valid, and would expose it to the world.
Mark Randall -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
