One thing to consider is changing json_encode to add a header
Content-type: application/json (or x-javascript), unless the additional
arguments are used..
That way someone using the function to intermingle with HTML will be
faced with the fact they have to encode the output, otherwise it breaks
the page...
Regards
Alan
Stanislav Malyshev wrote:
This is just a different way of encoding Javascript which depending on
the context of use will enable Javascript to be embedded securely. Not
providing an alternate encoding is a bit like arguing that we shouldn't
have base64_encode() because if used incorrectly it could be insecure.
I'm not saying "not providing", I'm saying "we should provide use
cases, otherwise this feature will inevitably be misused".
We don't have an explanation of when base64_encode() is useful in the
Because it's established standard that is widely used. json_encode()
option was never used before.
base64_encode() uses. Same thing for this json_encode() feature. We
can come up with a set of scenarios where we would like to avoid having
characters that are meaningful in XML and HTML show up in our json
strings.
OK, we can. Let's do.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
