> The big difference is: > With <?*, you have to define an escaping function, with <?= it's optional.
a few minutes ago, security updates for CVE-2016-2040 were published: https://github.com/phpmyadmin/phpmyadmin/commit/edffb52884b09562490081c3b8666ef46c296418 https://github.com/phpmyadmin/phpmyadmin/commit/75a55824012406a08c4debf5ddb7ae41c32a7dbc https://github.com/phpmyadmin/phpmyadmin/commit/aca42efa01917cc0fe8cfdb2927a6399ca1742f2 Regards Thomas Thomas Bley wrote on 24.07.2016 18:21: >> <?* $str ?> >> >> instead of >> >> <?=h($str)?> > > benefits are using static code analyzers, grep "<?=" for code reviews, etc. > Having function names with single characters is bad taste and only useful for > obfuscating. > Using multiple frameworks or libraries, it's not possible to redeclare > functions with the same name. > > The big difference is: > With <?*, you have to define an escaping function, with <?= it's optional. > > Regards > Thomas > > > Christoph Becker wrote on 24.07.2016 17:54: > >> On 24.07.2016 at 16:55, Thomas Bley wrote: >> >>> In total a good rfc everybody should be happy with. >> >> I'm not happy (to put it mildly) with the RFC as it's now. The RFC >> speaks of *operator*, where actually start-tags[1] are meant, to start >> with. Using the word operator is rather confusing in this context. >> >> Then the RFC states that the new operator is compiled into the following >> AST: >> >> | echo escape_handler_call(first_argument, second_argument); >> >> But what happens to additional code, e.g. >> >> <?* $str, 'html', 42 ?> >> <?* $str, 'html'; echo 42 ?> >> >> Contrast that to the language specification which explains: >> >> | If <?= is used as the start-tag, the Engine proceeds as if the >> | statement-list started with echo statement. >> >> Simple, yet precise. >> >> Anyhow, even if this formal issues will be addressed, I still don't see >> the benefit of being able to write >> >> <?* $str ?> >> >> instead of >> >> <?=h($str)?> >> >> The argument that h() might be forgotten is moot, because it's similarly >> easy to accidently write = instead of *, and both forms allow for >> equally well (semi-)automatic verification that all output is escaped. >> >> [1] >> <https://github.com/php/php-langspec/blob/master/spec/04-basic-concepts.md#program-structure> >> >> -- >> Christoph M. Becker >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: http://www.php.net/unsub.php >> > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
