On Mon, 21 Jun 2021 at 11:38 pm, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Hi,
>
> The name "is_trusted" is misleading.
> Literal is nothing but literal.
>
> <html>
> <?php
> eval('$var= '. $_GET['a'] );
>
> if (is_trusted($var)) echo $var;
> ?>
> </html>
>
> Literals cannot always be trusted.
>
That’s explained in the RFC, under “Limitations” and “Faking it”…
“That said, we do not pretend there aren't ways around this (e.g. using
var_export), but doing so is clearly the developer doing something wrong.
We want to provide safety rails, but there is nothing stopping the
developer from jumping over them if that's their choice.”
