Edit report at https://bugs.php.net/bug.php?id=62574&edit=1
ID: 62574 Comment by: chuyu at microsoft dot com Reported by: thbley at gmail dot com Summary: New operator for htmlspecialchars Status: Open Type: Feature/Change Request Package: *General Issues PHP Version: Irrelevant Block user comment: N Private report: N New Comment: I was thinking the same thing. One advantage of using some template engines(twig, phptal) is that they automatically escape html characters during output. Many people use these template engine simply for that due to XSS worries. However if we have such an operator, then we create a simple php native template engine(which I'm all for), and in the template always use this operator to prevent XSS. I would suggest to make the operator like <?~ $var ?>, the reason is that ~ is often located near the 'ESC' on the keyboard, so it feels more like escape :-) Previous Comments: ------------------------------------------------------------------------ [2012-10-26 19:24:31] ajf at ajf dot me @dagguh: What? I'm just suggesting exporting variables into the global namespace, and escaping them in the process, for templating purposes. ------------------------------------------------------------------------ [2012-10-26 19:07:08] dagguh at gmail dot com This is valid. @ajf: You should never dop anything "ahead-of-time" in programming. You shoudl escape a variable right before passing it to en environment, that requires this form of escaping ------------------------------------------------------------------------ [2012-09-04 18:15:37] ajf at ajf dot me (I'm all for this though, I'm just pointing out other options) ------------------------------------------------------------------------ [2012-09-04 18:06:32] ajf at ajf dot me You can escape things ahead-of-time, you know. In fact, I have a feeling you could use foreach to traverse the symtable and escape everything. (don't do that though, that's a horrendous idea) ------------------------------------------------------------------------ [2012-07-16 04:07:43] thbley at gmail dot com Description: ------------ old: <?php echo htmlspecialchars($str, ENT_QUOTES); <?= htmlspecialchars($str, ENT_QUOTES) ?> new: echo <$str>; <?= <$str> ?> or: <?+ $str ?> ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=62574&edit=1
