Hello Jared, Sunday, March 23, 2008, 1:57:20 PM, you wrote:
> >> -----Original Message----- >> From: Stefan Walk [mailto:[EMAIL PROTECTED] >> Sent: 23 March 2008 11:08 >> To: Jared Williams >> Cc: 'PHP Internals' >> Subject: Re: [PHP-DEV] short_open_tag >> >> Jared Williams schrieb: >> > <ul> >> > <? foreach ($items as $item): ?> >> > <li><?=htmlspecialchars($item)?></li> >> > <? endforeach ?> >> > </ul> >> >> Well, it's the same as the "but i can't validate my php >> source with xmllint" folks: You're doing it at the wrong >> point. Escaping should happen at the point where you assign >> the var as a temlate var (in my small template class: >> $tpl->assign('items', $some_data) will escape all "leaves" in >> the data $some_data). This way you don't have to type it >> everytime, you don't have to read it everytime and - best of >> all - you can't forget to do it, so introducing a XSS >> vulnerability is much less likely. >> >> Regards, >> Stefan > A lot of people don't use templates, just raw PHP. So having a short tag > escaping would decrease XSS vulnerabilities. > I don't understand why need to essentially duplicate all the variables just > to provide proper escaping. Same here. PHP itself is the templating system. And we should focus on that one. Becasue that is the vast majority of users. However we shouldn't make other stuff harder than necessary. That said, I more and more think we need to revisit our tags. XML Allows ':' and '_' in names. And As Jared just wrote one of the things very often done is html escaping in short output. So i'd like to see the following: <?php just as now of course <?: just as <?= but xml compliant, i have seen other ppl mentioning <?p <?phtml just like <?php echo or <?= but doing html escaping Best regards, Marcus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
