Sure you can implement that in userland, but people don't do it or make it too complicated, so you get every day code with unescaped stuff.
Regards Thomas Ryan Pallas wrote on 18.06.2016 00:27: > > > On Fri, Jun 17, 2016 at 2:23 PM, Thomas Bley <ma...@thomasbley.de > <mailto:ma...@thomasbley.de> > wrote: >> you can simply add the context to the current output operator: >> <?=html($str) ?> >> <?=attr($str) ?> >> <?=text($str) ?> (=strip_tags) >> <?=js($str) ?> >> <?=css($str) ?> > > > Look at that. Add a couple parens and its completely implementable in > userland now with no language changes required. > > >> Regards >> Thomas >> >> >> Stanislav Malyshev wrote on 17.06.2016 22:14: >> >> > Hi! >> > >> >> Most of output code is an output of properties of database entities, and >> >> only in some cases it's needed to concatenate HTML into string and then >> >> print it with unescaped output. Escaped output operator can be useful. >> >> Also >> >> we output data not into the void and not into simple text file, but into >> >> HTML-document which has a certain format (markup). Also this is logical - >> >> to have both forms, escaped and unescaped. >> > >> > This has been discussed on the list a number of times. Main issue with >> > this kind of proposals is that escaping is context-dependent. E.g. >> > htmlspecialchars() would not help you in many scenarios - e.g. it won't >> > protect you from XSS if you ever place user-controlled data in HTML >> > attributes. Having operator for each of the possible contexts does not >> > really looks feasible, and having it for only one of them and not the >> > others would be misleading people into thinking this operator is generic >> > and can be used in all contexts safely. >> > >> > -- >> > Stas Malyshev >> > smalys...@gmail.com <mailto:smalys...@gmail.com> >> > >> > -- >> > PHP Internals - PHP Runtime Development Mailing List >> > To unsubscribe, visit: http://www.php.net/unsub.php >> > <http://www.php.net/unsub.php> >> > >> >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: http://www.php.net/unsub.php >> <http://www.php.net/unsub.php> >> >> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
