Davey
> - https://marc.info/?t=145851323800001&r=1&w=2 — automatic template
escaping
> - https://marc.info/?t=135082660600002&r=1&w=2 — this one even proposed
the same syntax!
> - https://marc.info/?t=144225546000001&r=1&w=2 — tainted variables also
"solves" this problem
These discussions and arguments against are all about
super-universal-escaping operator, and that escaping method depends on
context. Third discussion is even a little different thing, second
discussion is more closer to my proposal.
I suggest an operator for special context - HTML markup, because this is
most often used context. This is shown in examlple below.
Rowan
> I think you are rather overstating how much of a "special edge case" it
is to echo a variable into other contexts like URLs,
> or JS. It doesn't need to be anything fancy, just an innocent-looking
snippet like this:
> <ul>
> <?php foreach ( $things as $thing ) { ?>
> <li><a href="/things/<?= $thing['name'] ?>" onclick="show_popup('<?=
$thing['name'] ?>');"><?= $thing['name'] ?></a>
> <?php } ?>
> </ul>
> There are three different escape mechanism needed there; if there is a
shorthand for one,
> do you think it will be more likely or less that people will get the
other two right?
Actually, htmlspecialchars() is needed in all three cases:
<?php $thing = ['name' => 'Say "Hello")']; ?>
<a
href="/things/<?= htmlspecialchars(urlencode($thing['name'])) ?>"
onclick="alert(<?= htmlspecialchars(json_encode($thing['name']),
ENT_QUOTES) ?>); return false"
>
<?= htmlspecialchars($thing['name']) ?>
</a>
You may not write htmlspecialchars together with urlencode just because
urlencode encodes all special characters with its own way.
Imagine that urlencode does not encode quotes - what function should we
call for its result?
That's why I say this is very often case. The main purpose of PHP - is
web-programming and generating HTML (hypertext preprocessor, yes).
The fact itself, that there were many discussions about it, indicates that
it is a necessary feature.
