Hi Xinchen, On Tue, Jun 23, 2015 at 11:33 PM, Xinchen Hui <larue...@php.net> wrote:
> But passing an non-string to htmlspecialchars are not common used cases.. > > "optimize" not common used cases... will bring nothing to us.. > The reason why I brought up this now is scalar type hint. Before PHP7, people didn't not care if data sent from browser is actually a string. e.g. age, month, date, etc. However, this optimization have more effects because of PHP7's type hint that convert data type "always" and users must escape regardless of it's type. Wrong date type assumption is common source of JavaScript injections. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
