you can simply add the context to the current output operator: <?=html $str ?> <?=attr $str ?> <?=text $str ?> (=strip_tags) <?=js $str ?> <?=css $str ?>
Regards Thomas Stanislav Malyshev wrote on 17.06.2016 22:14: > Hi! > >> Most of output code is an output of properties of database entities, and >> only in some cases it's needed to concatenate HTML into string and then >> print it with unescaped output. Escaped output operator can be useful. Also >> we output data not into the void and not into simple text file, but into >> HTML-document which has a certain format (markup). Also this is logical - >> to have both forms, escaped and unescaped. > > This has been discussed on the list a number of times. Main issue with > this kind of proposals is that escaping is context-dependent. E.g. > htmlspecialchars() would not help you in many scenarios - e.g. it won't > protect you from XSS if you ever place user-controlled data in HTML > attributes. Having operator for each of the possible contexts does not > really looks feasible, and having it for only one of them and not the > others would be misleading people into thinking this operator is generic > and can be used in all contexts safely. > > -- > Stas Malyshev > smalys...@gmail.com > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
