Hi internals, I'd like to propose a new short tag that echos with HTML escaping.
XSS is still a significant problem for PHP apps, but it is less common in apps written with frameworks that provide automatic HTML escaping. However, many developers are still writing straight PHP without any framework and a feature like this in PHP itself could prove to be incredibly handy. One approach I sometimes use is defining a global function called h() which passes its argument through htmlspecialchars(). This works well, but it still adds a little bit of unwanted mental and typing overhead. Since escaping is desired the vast majority of the time , I'd like to see a short tag for outputting with escaping. This tag could become the de facto standard for echoing data, with <?= being seen as the more dangerous alternative. The new tag should be just as short and easy to type as <?=. Personally I'm a fan of <?- or perhaps <?~. Looking forward to hearing some feedback on this idea. Cheers, Charlie.
