> The similarity is that magic quotes assumed that the input data was going to
> be embedded within an SQL query without escaping, and therefore needed
> escaping. Of course that's an invalid assumption, the input data could be
> re-rendered, processed in some arbitrary way, written to a file, sent in an
> email, to another web service, etc etc.
>
> This feature makes a similar assumption about output, rather than input.
> Specifically, it assumes that the output is HTML, and what is being echoed
> hasn't already been escaped and therefore needs to be escaped.
True, but the difference is that safety is the default instead of
the exception. Every system has an assumption. It's better that
mistakes about escaping cause double-escaped html than
an XSS hole.
> that's an invalid assumption, command line scripts do echo/print of plain
> text, and I've seen PHP scripts generate JSON (eg a web service),
> JavaScript, CSS and plain text via the output buffer. Not to mention
> anything could so
I'm sorry, I wasn't clear in the RFC. This feature is meant to only be
turned on during template rendering (imagine you have a Template
class):
function render() {
set_ini('__auto_escape', 1);
require $this->templatePath;
set_ini('__auto_escape', 0);
}
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
