On Sun, Oct 21, 2012 at 2:35 PM, Charlie Somerville < char...@charliesomerville.com> wrote:
> Hi internals, > > I'd like to propose a new short tag that echos with HTML escaping. > > XSS is still a significant problem for PHP apps, but it is less common in > apps written with frameworks that provide automatic HTML escaping. However, > many developers are still writing straight PHP without any framework and a > feature like this in PHP itself could prove to be incredibly handy. > > One approach I sometimes use is defining a global function called h() which > passes its argument through htmlspecialchars(). This works well, but it > still adds a little bit of unwanted mental and typing overhead. > > Since escaping is desired the vast majority of the time , I'd like to see a > short tag for outputting with escaping. This tag could become the de facto > standard for echoing data, with <?= being seen as the more dangerous > alternative. > > The new tag should be just as short and easy to type as <?=. Personally I'm > a fan of <?- or perhaps <?~. > > Looking forward to hearing some feedback on this idea. > How do you propose we customise the escaping of such things, using htmlentities() or htmlspecialchars? What about the ENT_QUOTES options, or the charset to be used (UTF-8)? If you standardise such functionality then you'll need to have a callback executed. I'm personally not a fan of your new syntax because it ass more variations to the way PHP is invoked and outputting information, but perhaps a generic escape() function is in order. Maybe you're onto something, but I feel the new php-invoking syntax isn't the way to go about it. - Paul. > > Cheers, > > Charlie. >
