> "Use '<?~' and it will solve your XSS and other escaping problems with outputting HTML that was stored in a DB." I don't think this is a good phrase for documentation. This form should be considered exactly as htmlspecialchars, with taking into account any language and encoding-specific issues, and this should be pointed in documentation. This is a shorcut for often operation, like '??' for isset() check. And it can really improve security, not in 90% but about 99.9999% cases.
2016-06-20 4:41 GMT+05:00 Walter Parker <walt...@gmail.com>: > >> >> > where getting it 90% correct is worse that not doing anything at all. >> > Things like this will cause people to be blindsided when the uncaught >> escapes >> > cause the next major security problem. >> >> Why do you think so? What real problems can happen if there will be a >> short operator for htmlspecialchars()? >> >> What could happen is this getting sold/documented as a general purpose > security feature: > "Use '<?~' and it will solve your XSS and other escaping problems with > outputting HTML that was stored in a DB." What it solves is a subset, > which is escaping characters stored in a data that have special meanings to > HTML. My concern is that the remain security issues might get overlooked or > ignored because '<?~' is considered good enough. There are issues with > htmlspecialchars, UTF-8 and certain language-specific characters (non > English). There were also issues with quotes in the past. > > > Walter >
