Edit report at https://bugs.php.net/bug.php?id=62574&edit=1
ID: 62574
User updated by: thbley at gmail dot com
Reported by: thbley at gmail dot com
Summary: New operator for htmlspecialchars
Status: Open
Type: Feature/Change Request
Package: *General Issues
PHP Version: Irrelevant
Block user comment: N
Private report: N
New Comment:
So we have these use cases:
- output unmodified content <?= $str ?>
- output htmlspecialchars escaped content <?+ $str ?> or <?~ $str ?>
- output strip_tags <?- $str ?>
- output intval <?# $str ?>
Previous Comments:
------------------------------------------------------------------------
[2012-12-05 23:12:57] chuyu at microsoft dot com
I was thinking the same thing.
One advantage of using some template engines(twig, phptal) is that they
automatically escape html characters during output. Many people use these
template engine simply for that due to XSS worries. However if we have such an
operator, then we create a simple php native template engine(which I'm all
for), and in the template always use this operator to prevent XSS.
I would suggest to make the operator like <?~ $var ?>, the reason is that ~ is
often located near the 'ESC' on the keyboard, so it feels more like escape :-)
------------------------------------------------------------------------
[2012-10-26 19:24:31] ajf at ajf dot me
@dagguh: What? I'm just suggesting exporting variables into the global
namespace, and escaping them in the process, for templating purposes.
------------------------------------------------------------------------
[2012-10-26 19:07:08] dagguh at gmail dot com
This is valid.
@ajf:
You should never dop anything "ahead-of-time" in programming. You shoudl escape
a
variable right before passing it to en environment, that requires this form of
escaping
------------------------------------------------------------------------
[2012-09-04 18:15:37] ajf at ajf dot me
(I'm all for this though, I'm just pointing out other options)
------------------------------------------------------------------------
[2012-09-04 18:06:32] ajf at ajf dot me
You can escape things ahead-of-time, you know. In fact, I have a feeling you
could use foreach to traverse the symtable and escape everything. (don't do
that
though, that's a horrendous idea)
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=62574
--
Edit this bug report at https://bugs.php.net/bug.php?id=62574&edit=1
