On 24/07/2016 17:21, Thomas Bley wrote:
<?* $str ?>
instead of
<?=h($str)?>
benefits are using static code analyzers, grep "<?=" for code reviews, etc.
It's not that difficult to write a static analyser that detects
instances of "<?=" not followed by "h(" or "e(" or whatever.
Having function names with single characters is bad taste and only useful for
obfuscating.
And having a token "*" that calls a different function in every
application is somehow less obfuscated?
Using multiple frameworks or libraries, it's not possible to redeclare
functions with the same name.
It's not possible for multiple frameworks or libraries to declare
different escape handlers in your proposal, either.
The big difference is:
With <?*, you have to define an escaping function, with <?= it's optional.
You could equally say, "with <?=e()?> you have to define an e()
function". The main effort is remembering to use the right syntax, which
you have to do either way.
Surely the feature gets most of its value from what you *don't* need to
do - which is why I think it's bizarre that the current version doesn't
even have a built-in HTML escaper at all.
Regards,
--
Rowan Collins
[IMSoP]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
