> > > > > where getting it 90% correct is worse that not doing anything at all. > > Things like this will cause people to be blindsided when the uncaught > escapes > > cause the next major security problem. > > Why do you think so? What real problems can happen if there will be a > short operator for htmlspecialchars()? > > What could happen is this getting sold/documented as a general purpose security feature: "Use '<?~' and it will solve your XSS and other escaping problems with outputting HTML that was stored in a DB." What it solves is a subset, which is escaping characters stored in a data that have special meanings to HTML. My concern is that the remain security issues might get overlooked or ignored because '<?~' is considered good enough. There are issues with htmlspecialchars, UTF-8 and certain language-specific characters (non English). There were also issues with quotes in the past.
Walter
