Jared Williams schrieb:
A lot of people don't use templates, just raw PHP. So having a short tag
escaping would decrease XSS vulnerabilities.
Well, i don't think that would be wise, because then you'd have to watch
if you're inside <?= or <?(php)? ...
I don't understand why need to essentially duplicate all the variables just
to provide proper escaping.
It's not "all" (usually the template uses far fewer vars than your
controlling logic), and it's not "just" (you don't want foreach ($a as
$b) in your template changing $b in your controlling logic), doing the
include $template in a function call, after setting up the vars,
protects you from side-effects of your templates.
Regards,
Stefan
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
