hi Rasmus, On Thu, Jun 21, 2012 at 5:33 PM, Rasmus Lerdorf <ras...@lerdorf.com> wrote:
> The problem with a warning here is that there is usually no way to > prevent it short of using @ or preceding all calls to htmlspecialchars() > with an iconv() call. A bad guy can simply send invalid UTF-8 bytes to a > web app and look for that warning to get a really good idea about the > server software being used. And yes, I know people should have > display_errors off in production, but this case is slightly different > because it is so universal. Other user-triggerable warnings are very > code-dependent and there is no universal trigger string you can send to > all PHP apps. Almost all PHP apps call htmlspecialchars() on user input > at some point. I have no problem to raise a warning here, but it must respect display_error. Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
