On Tue, Aug 6, 2019 at 7:34 AM G. P. B. <george.bany...@gmail.com> wrote:
> The voting for the "Deprecate short open tags, again" [1] RFC has begun. > It is expected to last two (2) weeks until 2019-08-20. > > A counter argument to this RFC is available at > https://wiki.php.net/rfc/counterargument/deprecate_php_short_tags > > Best regards > > George P. Banyard > > [1] https://wiki.php.net/rfc/deprecate_php_short_tags_v2 I voted "yes" for removal. <? is a security risk. If your code uses <?, then your code is liable to leak, based entirely on a setting potentially out of your control. As Robert Korulczyk's example illustrates, even within the same organization, misconfigurations can have hidden and drastic consequences. <? is a security risk today, just as much as it was then. Remember in 2007 when Facebook's source code leaked precisely because of this [1]? Much has been said about this being a "portability" issue. I think that's overly specific. The core issue is "fallibility". You can globally configure the language to stop recognizing itself as a language. That's weird and unexpected. So much so, that no one gives due thought to this, and we end up with security disasters. PHP.net has opined, for years, that <? is bad[2]. It's time to act. So much else breaks at the 8.0 boundary, let's do it all at once. If anyone needs to justify the effort, let them say "<? is a security hole". [1]:https://techcrunch.com/2007/08/11/facebook-source-code-leaked/ [2]:https://www.php.net/manual/en/language.basic-syntax.phptags.php