Please give me RFC karma. My wiki account is "michael-vostrikov". I plan to create an RFC for this feature.
2016-06-19 21:09 GMT+05:00 Thomas Bley <ma...@thomasbley.de>: > I think it's best to create a rfc and put it to vote: > https://wiki.php.net/rfc/howto > > Having <?~ makes it a lot easier to do code reviews. > I also think majority of use cases is <?~, other parts can use > json_encode(), filter_var() and other filters/escapers. > > Regards > Thomas > > Михаил Востриков wrote on 19.06.2016 10:38: > > > Guys, wait please) I don't suggest escaping package for all contexts and > > for all cases. This is not what I described in my first letter. My point > is > > that the main job of echo operator "<?= ?>" is output an unknown value > from > > database to an HTML environment. So in all this places we should > copy-pase > > the call of htmlspecialchars() to prevent XSS. There are many projects > > which is written on custom engines, or frameworks, or CMS, and they does > > not have any templating engine, and there is no possibility to rewrite > many > > working PHP templates to Twig, or Smarty, or something else. > > > > I suggest new simple operator "<?~ ?>" which will automatically wrap the > > output value in htmlspecialchars(). It is intended specially for HTML, > not > > for XML or JS. It does not require any php.ini settings, new classes or > > constants. The reason for implementing it is the same as for implementing > > "??", or "<=>", or "<?= ?>" operators - make better usual and often > > operations, descrease copy-paste, and increase security. I can implement > it > > myself and send a patch. > > > > What do you think? > > > >
