Hi all, On Sun, Jan 11, 2015 at 3:36 PM, Pierre Joye <pierre....@gmail.com> wrote:
> > Well, the feature list for PHP7 is not closed yet. I hope new attractive > features will be added soon because, otherwise, it will be very hard to > sell. And we need attractive features in the first release, not 7.1 or 7.2, > which will never have the same exposure. > > I cannot say it in a better way. Full ack. > I agree this, too. As internet became a hunting place for professional crackers (criminals), I really would like to make PHP secure by default. It's getting better, but it is not enough. One example is htmlspecialchars(). HTML 5 allows attributes quoted by " ' and w/o quotes. It does not produce safe string by default. Another example is "embed script by default/always". It's a needless risk (i.e. Local/Remote Script Inclusion), IMHO. Yet another example is lack of JavaScript string escape function. I also would like to see OpenSSL/LibreSSL extension enabled by default. Security improvement may attract many users hopefully. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
