On Fri, Jun 17, 2016 at 2:23 PM, Thomas Bley <ma...@thomasbley.de> wrote:
> you can simply add the context to the current output operator: > <?=html($str) ?> > <?=attr($str) ?> > <?=text($str) ?> (=strip_tags) > <?=js($str) ?> > <?=css($str) ?> > Look at that. Add a couple parens and its completely implementable in userland now with no language changes required. > Regards > Thomas > > Stanislav Malyshev wrote on 17.06.2016 22:14: > > > Hi! > > > >> Most of output code is an output of properties of database entities, and > >> only in some cases it's needed to concatenate HTML into string and then > >> print it with unescaped output. Escaped output operator can be useful. > Also > >> we output data not into the void and not into simple text file, but into > >> HTML-document which has a certain format (markup). Also this is logical > - > >> to have both forms, escaped and unescaped. > > > > This has been discussed on the list a number of times. Main issue with > > this kind of proposals is that escaping is context-dependent. E.g. > > htmlspecialchars() would not help you in many scenarios - e.g. it won't > > protect you from XSS if you ever place user-controlled data in HTML > > attributes. Having operator for each of the possible contexts does not > > really looks feasible, and having it for only one of them and not the > > others would be misleading people into thinking this operator is generic > > and can be used in all contexts safely. > > > > -- > > Stas Malyshev > > smalys...@gmail.com > > > > -- > > PHP Internals - PHP Runtime Development Mailing List > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >
