Edit report at https://bugs.php.net/bug.php?id=62745&edit=1
ID: 62745 User updated by: kjelkenes at gmail dot com Reported by: kjelkenes at gmail dot com Summary: Extend echo and print possiblity Status: Wont fix Type: Feature/Change Request Package: Output Control Operating System: * PHP Version: 5.4.5 Block user comment: N Private report: N New Comment: Before you blatantly ignore this bug report, please take your time to read the following posts: - http://fabien.potencier.org/article/34/templating-engines-in-php ( Security ) - http://pkj.no/blog/2012/08/08/php-use-a-template-system-or-not And the most important rule of XSS prevention (right now): " Don't forget to add htmlspecialchars($var, ENT_QUOTES, 'utf-8') on every single echo statement " Previous Comments: ------------------------------------------------------------------------ [2012-08-06 18:59:35] kjelkenes at gmail dot com Just stating the obvious. OOP, MVC, Templating engine, you sir have greatly missed the point of this feature request. Are you talking about OOP? OOP has _nothing_ to do with this question, of course you would use OOP: classes, namespaces and traits.. But this is not the place to talk about OOP design. Are you talking about MVC? Because this addition will make every currently existing MVC frameworks such as Symfony 2 and Codeigniter more secure. You separate controller / business logic / presentation logic, but you are now starting a discussion of using a 3rdparty library against php itself as a templating-engine. Does not really make sense at all regarding this feature request. You don't USE a templating framework if you implement this change, this change will make it easier then never to CREATE the fastest templating engine on the market without having to parse code to php code and then use the php code to make php safe. Note, php is a language, you can also template with it because of it's easy syntax HTML<?php echo $var?>MORE_HTML. In Symfony 2 you have to either use - TWIG syntax (Templating engine) - echo $this->escape("<script></script"); ( Symfony way .. ) Now, this didn't have to be needed if this feature request was implemented. - echo "<script>.."; ( This is not possible at this time ) ------------------------------------------------------------------------ [2012-08-06 18:27:49] phpmpan at mpan dot pl When making general statements, first make sure that by writing "all people do" you don't mean "I do". Also please take a look at the calendar. Mine says 2012, not the end of XX century. Maybe 10 years ago it was acceptable, but it's no longer a good habit to mix business logic and presentation layer, virtually any bigger application is written in OOP (which doesn't mix well with exiting PHP mode) and the presentation layer is handled by template engines or frameworks. As I said before: you're trying to solve a problem that doesn't really exist. If it can be observed anywhere, it's just a symptom of a different problem that lies between keyboard and chair, not in PHP. Also it's not a good idea to call PHP devs ignorants and raging because your idea is not accepted. If you believe that it's really needed, try to convince people it is so! Insulting will not get you anywhere. ------------------------------------------------------------------------ [2012-08-06 13:07:30] kjelkenes at gmail dot com Ignorance, gotta love it. There is really a difference of output buffering functions and this, I do of course know of the output buffering functions, this is NOT RELATED. Read on to really see what I mean about this. This is how people in most cases write their VIEW logic. Meaning ending and starting <?php echo ..?> every time they echo stuff.. That also means you should ESCAPE ALL data that comes to echo, else you are just not SAFE. index.php: <?php // Web page title. $title = 'My website'; // A item from the database. $item = array('title' => '<script>alert("Hi!")</script>'); ?> <?php ob_start() ?> <html> <head> <title><?php echo $title?></title> </head> <body> <div><p><?php echo $item['title']?></p></div> </body> </html> <?php $content = htmlspecialchars(ob_get_flush(),ENT_QUOTES,'UTF-8'); echo $content; /* Returns: <html> <head> <title>My website</title> </head> <body> <div><p><script>alert("Hi!")</script></p></div> </body> </html> FAIL?! We NEED a echo handler.... */ ?> Obviously this won't work if people wrote their template like this (but that's up to them...): index.php echo " <html> <head> <title>{$title}</title> </head> <body> <div><p>{$item['title']}</p></div> </body> </html> "; This is wanted behaviour (The use of htmlspecialchars wouldn't be necessary if we had a handler that intercepted the echo statement.): <?php // Web page title. $title = 'My website'; // A item from the database. $item = array('title' => '<script>alert("Hi!")</script>'); ?> <html> <head> <title><?php echo htmlspecialchars($title,ENT_QUOTES,'UTF-8')?></title> </head> <body> <div><p><?php echo htmlspecialchars($item['title'],ENT_QUOTES,'UTF-8')?></p></div> </body> </html> <?php /* Returns: <html> <head> <title>My website</title> </head> <body> <div><p><script>alert("Hi!")</script></p></div> </body> </html> Perfect! */ ?> ------------------------------------------------------------------------ [2012-08-06 01:01:42] ahar...@php.net The commenters are right: output buffering already deals with the feature as requested, and as Laruence points out, the taint extension is available for the underlying issue if you want to go down that road. Closing. ------------------------------------------------------------------------ [2012-08-05 06:55:18] larue...@php.net 1. if you want taint mode, refer to : http://pecl.php.net/taint 2. if you want escape output: refer to http://www.php.net/manual/en/function.ob- start.php thanks ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=62745 -- Edit this bug report at https://bugs.php.net/bug.php?id=62745&edit=1
