ID: 3284
Updated by: zeev
Old-Status: Open
Status: Closed
Bug Type: Feature/Change Request
Operating system: 
PHP Version: 4.0
Assigned To: 

This is quite against the spirit of PHP - we don't want to add arbitrary modifiers 
that perform arbitrary/unexpected behavior.

We could and probably should find a better name for htmlspecialchars() - perhaps 
to_html() or htmlize() or something along these lines.

Previous Comments:

[2001-05-20 23:57:44] [EMAIL PROTECTED]
This looks cool... I vote for it!

The syntax causes no broken things or whatever: currently, these syntaxes cause either 
parse-errors, or just print the $|foo literally, both not very likely to occur in 
current scripts ;)


[2001-02-10 14:00:03] [EMAIL PROTECTED]
refiling against 4.0.


[2000-01-22 16:00:05] [EMAIL PROTECTED]
This would be super, SUPER useful for everyone: a way to automatically expand (both in 
regular code AND in quoted strings):

  $|foo  [where "|" might be some other special
          punctuation character; you decide what
          character would work best]



Here's why.  One of the most common bugs in CGI programming -- in PHP or any other 
language -- is constructs such as this:

  echo "<input type=text name=foo value='$foo'>
        <input type=text name=bar value='$bar'>";

In this case, "$foo" will be expanded.  However, there's a serious problem here: if 
$foo contains any of the special characters (< > & "), those characters will NOT be 
escaped, and thus the resulting HTML is broken!

The correct way to do this is the following mess:

  echo "<input type=text name=foo value='"
    . htmlspecialchars($foo)
    . "'><input type=text name=bar value='"
    . htmlspecialchars($bar)
    . "'>";

This is a big pain in the neck.  Basically, it means that the automatic expansion of 
variables inside quoted strings is WAY less useful than it would be otherwise.

My proposed syntax extension would make this way, way easier.  Here's how you would be 
able to write the above example:

  echo "<input type=text name=foo value='$|foo'>
        <input type=text name=bar value='$|bar'>";

This is MUCH cleaner.  Also, this feature would encourage correct code, because 
without this feature, many programmers frequently forget to call htmlspecialchars() 
because of the convenience of relying on string-expansion.

This extension would also help in other situations, such as these:

  // if $name == "A&J Market", some browsers
  // will not display what you want:
  echo "<p>Company name: $name</p>";  // This is WRONG!
  echo "<p>Company name: $|name</p>"; // This would be okay

  // if $email == "Joe Smith <[EMAIL PROTECTED]>",
  // most browsers will not display what you want:
  echo "Reply to $email";  // This is WRONG!
  echo "Reply to $|email"; // This would be okay

Also, an example when escaping from HTML mode:

  <!-- this is WRONG: -->
  <input type=text name=foo value="<? echo $foo ?>">
  <!-- this would be okay: -->
  <input type=text name=foo value="<? echo $|foo ?>">

Note that in any context, $|foo would be an r-value, NOT an l-value (that is, you 
can't assign to it or pass it by reference).  For example, this is illegal:

  $|foo = "hi";     // illegal


ATTENTION! Do NOT reply to this email!
To reply, use the web interface found at

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to