Keryx Web wrote: > Alexey Zakhlestin skrev: >> I think I understand what the use-case is… >> >> If the browser doesn't know anything about <script> tag, it is >> supposed to interpret it's contents as html… In which case, html-tags >> which appear in javascript code will actually become active ones >> > > And in the year 2007, soon 2008, what browser would that be? > > MSIE 2.0? (JScript was introduced in 3.0) > > Netscape 2.0B1? (JavaScript was introduced i B2) > > Mosaic? > > > $10 to the first one who can name a browser that has a market share > above 0.1% and will mistreat the contents in a script tag in this way. > Nah, I'm generous, I'll make that €10!
It may not be the browser that misses the <script> tag. It may be the developer. And I don't mean the trivial case of doing <script><?php echo json_encode(...)</script>, this is more likely to happen in complex environments where you have XHR requests returning json and doing DOM manipulation on it. If you mess up and end up passing the returned json payload to innerHTML, you are hosed. Using the \u syntax, even if you mess up and that blob of data finds its way to an innerHTML, nothing nasty can happen. Basically this is a more robust context-protected way of encoding json. We should probably have done it this way right from the beginning, but since we didn't and since we don't really want to deal with the potential BC issues of changing working code, we have to add it as an option at this point. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
