De : yohg...@gmail.com [mailto:yohg...@gmail.com] De la part de Yasuo Ohgaki > >>> On Sun, Jan 11, 2015 at 3:36 PM, Pierre Joye <pierre....@gmail.com> wrote: >>> Well, the feature list for PHP7 is not closed yet. I hope new attractive >>> features will be added soon because, otherwise, it will >>> be very hard to sell. And we need attractive features in the first release, >>> not 7.1 or 7.2, which will never have the same >>> exposure. >> I cannot say it in a better way. Full ack. >I agree this, too. > As internet became a hunting place for professional crackers (criminals), I > really > would like to make PHP secure by default. It's getting better, but it is not > enough. > One example is htmlspecialchars(). HTML 5 allows attributes quoted by " ' and > w/o > quotes. It does not produce safe string by default. Another example is "embed > script > by default/always". It's a needless risk (i.e. Local/Remote Script > Inclusion), IMHO. > Yet another example is lack of JavaScript string escape function. I also > would like > to see OpenSSL/LibreSSL extension enabled by default.
> Security improvement may attract many users hopefully. Great ideas ! IMO, that's the kind of features we need: more or less hard to implement and easy to explain and get people interesting in. You're right: if we provide enough security-related fixes and enhancements, this can be a perfect focus when communicating about PHP7. It can look like demagogy but it's only basic communication rules. People (including all of us) need to make a first opinion after reading less than 10 words (and it becomes shorter every day :). If PHP7 is announced as 'a new version focusing on security', it is a reason to read further for a lot of people. If we give them a long list of opaque features they don't understand, they give up after reading 2 lines ! The REALLY most important features are probably phpng or AST, but our only goal is to have users migrate to the new version. Unfortunately, that's frustrating for people implementing hidden, complex features, like AST or phpng, which won't have the recognition they would deserve. But I don't know any way to fix this. IMO, there's no way to have the mass of PHP developers understand what they owe them. It doesn't mean this work is not important but, when you start working on such low-level features, you must know that recognition will come from your peers, rarely from the public. I even consider that an important benefit of PHP conferences is to provide a way for these people to get the recognition they deserve, which allows to keep them motivated. Please go on with a global security-related RFC and a thread where all of us will bring forgotten feature requests. IMO, no need to be extremely creative in searching issues to solve. We have tons of never-addressed security-related enhancement requests in the bug tracker. Sites like PHP sadness are a source too. Many others like StackOverflow also contain a lot of ideas and complains in this domain. Regards François Regards, -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
