Hi Andrey,
Thank you for the thoughtful reply — I completely agree that full
context-aware escaping (like in Twig or Blade) is essential for complex
or mixed-output scenarios.
My intention isn’t to replace that kind of intelligence, but rather to
offer a simple, safe default for the most common case: outputting plain
user-supplied text inside HTML text content or double-quoted attributes,
e.g.:
```
<p><?~ $comment ?></p>
<input value="<?~ $name ?>">
```
In these cases, htmlspecialchars(..., ENT_QUOTES | ENT_HTML5, 'UTF-8')
is sufficient and widely recommended. The goal isn’t to solve all XSS
vectors, but to eliminate the most frequent footgun: forgetting to
escape at all.
Developers would still be responsible for using proper context-specific
escaping (or a full templating engine) when interpolating into <script>,
styles, URLs, or unquoted attributes — but for the 80% case of rendering
form values or content in standard HTML, <?~ would provide a concise,
secure-by-default shortcut.
Think of it as similar to how <?= ... ?> made output easier than <?php
echo ... ?> — not a security feature per se, but a nudge toward safer
habits in everyday templating.
Would that narrower scope make the proposal more reasonable for core?
Best regards,
Sergei
On 12/23/25 14:55, Andrey Andreev wrote:
Hi Sergei,
XSS escaping is unfortunately not as simple as that. Templating
engines are context-aware and can know whether to apply escaping for
free-form text or an attribute (which can often also be validated by
type), specific tag behaviors, and even whether the output is to be
executed as HTML, XML, CSS, JS, etc.
One-size-fits-all escaping that doesn't take such context into account
is not effective and even makes things worse by giving developers a
false sense of security.
Cheers,
Andrey.
