Guys, wait please) I don't suggest escaping package for all contexts and for all cases. This is not what I described in my first letter. My point is that the main job of echo operator "<?= ?>" is output an unknown value from database to an HTML environment. So in all this places we should copy-pase the call of htmlspecialchars() to prevent XSS. There are many projects which is written on custom engines, or frameworks, or CMS, and they does not have any templating engine, and there is no possibility to rewrite many working PHP templates to Twig, or Smarty, or something else.
I suggest new simple operator "<?~ ?>" which will automatically wrap the output value in htmlspecialchars(). It is intended specially for HTML, not for XML or JS. It does not require any php.ini settings, new classes or constants. The reason for implementing it is the same as for implementing "??", or "<=>", or "<?= ?>" operators - make better usual and often operations, descrease copy-paste, and increase security. I can implement it myself and send a patch. What do you think? 2016-06-19 12:59 GMT+05:00 Marco Pivetta <ocram...@gmail.com>: > On 19 June 2016 at 09:53, Niklas Keller <m...@kelunik.com> wrote: > >> Rasmus Schultz <ras...@mindplay.dk> schrieb am Sa., 18. Juni 2016, 17:44: >> >> Did you know that you can alias namespaces, too? >> >> <?php use My\Stuff\Escape as esc; ?> >> <?=esc\html($str)?> >> >> You can always add more functions to a namespace even spread accross >> multiple files. >> > > Pro-userland: quick reminder that a `composer update` is much quicker than > a full system PHP version upgrade. > > I'd rather rely on an escaping package written in PHP, easier to maintain > and quicker to upgrade, than something that will likely use some obscure > shared library (or the PHP binary itself) that may not be upgraded for > weird reasons (it's shared, remember?). > > I know that you put a lot of effort in security maintenance, but it's > still easier to deal with this stuff in userland in any case, and most > templating languages in common frameworks already inject helpers in the > script context in order to achieve quick, effective and context-aware (no > automatic context detection) escaping. > > Marco Pivetta > > http://twitter.com/Ocramius > > http://ocramius.github.com/ > >
