Davey, could you give some example? As I see in this discussion, all specific use cases are associated with output to JS or URL context. But this is not a majority of use cases. Also, html escaping should not be used here, json_encode() or urlencode() should be used instead.
2016-06-20 8:39 GMT+05:00 Davey Shafik <da...@php.net>: > On Sun, Jun 19, 2016 at 8:30 PM, Walter Parker <walt...@gmail.com> wrote: > >> Good, then we do agree, as what I said was what I DID NOT want to see in >> the documentation. >> >> This should be documented as shortcut for <? echo htmlspecialchars(string) >> ?>. It should be further pointed out that while this will be useful in >> catching many XSS and other HTML issues, it will not catch all of them, so >> care and attention to proper data hygiene is still required. >> >> >> Walter > > > There will never be a way to make this operator useful to a majority of > users or use cases; similar ideas have been discussed many times in the > past. > > If we get annotations then you might be able to hook something in from > userland transparently that understands your specific context and > application. This would be much more feasible IMO. > > - Davey >
