to make it more clear: <?~ $str ?>
is a shortcut for: <?= htmlspecialchars($str, ENT_QUOTES | ENT_HTML5); ?> Using <?~ is not more or less secure than <?= htmlspecialchars. Regards Thomas Niklas Keller wrote on 20.06.2016 12:51: > 2016-06-20 11:12 GMT+02:00 Lester Caine <les...@lsces.co.uk>: > >> On 20/06/16 07:00, Niklas Keller wrote: >> >> Now ... I want to add content that includes >> >> > it needs to be in the format >> >> > <script>alert("xss")<script> so that it never >> >> > appears in the 'dangerous' format, but if $user['about_me'] is >> >> > designated a simple text string, then any attempt to add >> >> > via an input should be blocked! >> > >> > No, it shouldn't be blocked. It should just be escaped on output. What if >> > that's a comment to a tech blog, where we talk about these things instead >> > of trying to find a vulnerability? >> >> Re-read what I wrote! >> > > I read it and I fundamentally disagree with that. > > >> You should ALWAYS sanitise simple text such as short descriptions, and >> even user names and other simple text fields and I would always do that >> with strings like $user['about_me'] ... > > > >> '<?~' creates a false sense of >> security > > > You're right. But it's the case because it doesn't obey the output context. > It's not because it escapes on outpu > > >> when users should be educated as to the risks that NOT >> validating data can create. Such as overflowing field sizes and creating >> text which internally can cause problem even before outputting to a >> browser > > > Data validation is a totally different topic and not what this thread is > about. > > >> such as quotes in combined strings. >> > > Where's that an issue? > > >> ( Rowan sums up the output side nicely ... ) >> >> > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
