> <?= $this->escapeHtml($value); ?> > I don't see what is hard in using that syntax, plus it's not a global registry. > if people aren't using templating and haven't written any of their own wrappers to sanitize the output
They HAVE own wrappers. The problem is that unsafe variant works good, but unsafe variant should not work good. The problem is that they have to keep in mind that they need always write a wrapper, they always need to repeat the same action again. And somewhen they just miss this and get possible problems with security. The problem is that this is very frequent case, so we need a tool for this case, which will prevent wrong work (XSS in particular). We always perform an output to some context. Why just not to add an easy tool for work with contexts? This is just one call - PHPEscaper::escape(). Consider it like a Facade pattern. > what's going to drive them to change? Why then many people are asking about this feature? In my RFC there are 10 links to similar discussions. They are from those people who was not lazy to write to mailing list or bug-tracker. There are also the results of the poll - 286 people are for this operator (now 320, after I wrote about implementation with contexts). And in first message I asked about official poll from PHP developers. Why not conduct it?
