> I suppose you mean that <?= $row['data'] ?> is the unsafe variant. > How does this rfc makes it not "works good" ? people will still have to think escaping their data. It suggests a way when safe variant is as easy as unsafe, without any additional code. Of course, unsafe variant cannot be removed because of backward compatibility. But in new code it will not be used so often as now, it will be used maybe in 1-2% cases, and old code gradually can be rewritten with new operator.
> and what it might look like with function autoloading: <?= html($row['data']) ?> > that's why people here are talking about function autoloading As I understand, function autoloading cannot load $this->html(). In this example it can load MyClass::html() or MyNamespace\html(), but not $object->html(). And it does not solve the problem with repeating the same action, and the problem with security when this action will be missed. This is not a problem to create one global function for escaping. The problem is to write it everywhere. > htmlspecialchars + json_encode is the correct way to encode a javascript string inside an html page Yes, it is written there exactly as you said: alert(<?= htmlspecialchars(json_encode($thing['name']), ENT_QUOTES) ?>); Initially my goal was just an operator for HTML escaping. I tried to show that this is frequently used context. I added a work with other contexts because, as I understood, their support is required for such an operator. If it will be just for HTML escaping, there will not be a problem with global state. Also I think, it is possible to remove a registry and PHPEscaper class and make only set_escape_hanlder() and restore_escape_handler(), exactly as set_error_handler(). Will this be more appropriate variant? This can be used for [$this, 'escape'] or ['MyEscaper', 'escape'] callables. I just wanted to create a tool ready for use. > I was think about something like that instead: > <?[$escaper...]= $data ?> One of main reasons for creating this RFC is to have default HTML escaping. Copy-paste is a wrong approach. Without automatic escaping there is no reason to change the language syntax.
