On Mon, 21 Jun 2021 at 11:38 pm, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Hi, > > The name "is_trusted" is misleading. > Literal is nothing but literal. > > <html> > <?php > eval('$var= '. $_GET['a'] ); > > if (is_trusted($var)) echo $var; > ?> > </html> > > Literals cannot always be trusted. > That’s explained in the RFC, under “Limitations” and “Faking it”… “That said, we do not pretend there aren't ways around this (e.g. using var_export), but doing so is clearly the developer doing something wrong. We want to provide safety rails, but there is nothing stopping the developer from jumping over them if that's their choice.”