you can never avoid people writing things incorrectly, just look at code using addslashes() instead of mysql_real_escape_string() ...
Regards Thomas Walter Parker wrote on 20.06.2016 01:41: >> >> >> >> > where getting it 90% correct is worse that not doing anything at all. >> > Things like this will cause people to be blindsided when the uncaught >> escapes >> > cause the next major security problem. >> >> Why do you think so? What real problems can happen if there will be a >> short operator for htmlspecialchars()? >> >> What could happen is this getting sold/documented as a general purpose > security feature: > "Use '<?~' and it will solve your XSS and other escaping problems with > outputting HTML that was stored in a DB." What it solves is a subset, > which is escaping characters stored in a data that have special meanings to > HTML. My concern is that the remain security issues might get overlooked or > ignored because '<?~' is considered good enough. There are issues with > htmlspecialchars, UTF-8 and certain language-specific characters (non > English). There were also issues with quotes in the past. > > > Walter > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
