Hi, basically I agree to you while I see the issue, but I don't think this is the solution (it might have been a solution if introduced 20 years ago, making it "secure by default" and let users opt-out where needed, but now might lead to a BC hell now)
But a comment here:
On Mon, 2016-03-21 at 12:42 +0000, Chris Riley wrote:
> 2. Relying on an ini setting for security is a bad idea: we did that
> with
> magic quotes and look how that turned out.
One can't fully compare this: magic_quotes happened before the script
started. Thus the setting was outside the control of the script. With
this feature it is under the control of the script. You can do ini_set()
at the beginning of the script to enforce what your app needs. (while
writing libraries which are generating output in a portable way will be
harder). With magic_quotes the only way where these foreach ($_GET)
{ stripslashes } loops which often had bugs (recursion related)
johannes
signature.asc
Description: This is a digitally signed message part
