I think it's best to create a rfc and put it to vote: https://wiki.php.net/rfc/howto
Having <?~ makes it a lot easier to do code reviews. I also think majority of use cases is <?~, other parts can use json_encode(), filter_var() and other filters/escapers. Regards Thomas Михаил Востриков wrote on 19.06.2016 10:38: > Guys, wait please) I don't suggest escaping package for all contexts and > for all cases. This is not what I described in my first letter. My point is > that the main job of echo operator "<?= ?>" is output an unknown value from > database to an HTML environment. So in all this places we should copy-pase > the call of htmlspecialchars() to prevent XSS. There are many projects > which is written on custom engines, or frameworks, or CMS, and they does > not have any templating engine, and there is no possibility to rewrite many > working PHP templates to Twig, or Smarty, or something else. > > I suggest new simple operator "<?~ ?>" which will automatically wrap the > output value in htmlspecialchars(). It is intended specially for HTML, not > for XML or JS. It does not require any php.ini settings, new classes or > constants. The reason for implementing it is the same as for implementing > "??", or "<=>", or "<?= ?>" operators - make better usual and often > operations, descrease copy-paste, and increase security. I can implement it > myself and send a patch. > > What do you think? > > > 2016-06-19 12:59 GMT+05:00 Marco Pivetta <ocram...@gmail.com>: > >> On 19 June 2016 at 09:53, Niklas Keller <m...@kelunik.com> wrote: >> >>> Rasmus Schultz <ras...@mindplay.dk> schrieb am Sa., 18. Juni 2016, 17:44: >>> >>> Did you know that you can alias namespaces, too? >>> >>> <?php use My\Stuff\Escape as esc; ?> >>> <?=esc\html($str)?> >>> >>> You can always add more functions to a namespace even spread accross >>> multiple files. >>> >> >> Pro-userland: quick reminder that a `composer update` is much quicker than >> a full system PHP version upgrade. >> >> I'd rather rely on an escaping package written in PHP, easier to maintain >> and quicker to upgrade, than something that will likely use some obscure >> shared library (or the PHP binary itself) that may not be upgraded for >> weird reasons (it's shared, remember?). >> >> I know that you put a lot of effort in security maintenance, but it's >> still easier to deal with this stuff in userland in any case, and most >> templating languages in common frameworks already inject helpers in the >> script context in order to achieve quick, effective and context-aware (no >> automatic context detection) escaping. >> >> Marco Pivetta >> >> http://twitter.com/Ocramius >> >> http://ocramius.github.com/ >> >> > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
