[PHP-DEV] HTML escaped short echo tag
Hi internals, I'd like to propose a new short tag that echos with HTML escaping. XSS is still a significant problem for PHP apps, but it is less common in apps written with frameworks that provide automatic HTML escaping. However, many developers are still writing straight PHP without any framework and a feature like this in PHP itself could prove to be incredibly handy. One approach I sometimes use is defining a global function called h() which passes its argument through htmlspecialchars(). This works well, but it still adds a little bit of unwanted mental and typing overhead. Since escaping is desired the vast majority of the time , I'd like to see a short tag for outputting with escaping. This tag could become the de facto standard for echoing data, with ?= being seen as the more dangerous alternative. The new tag should be just as short and easy to type as ?=. Personally I'm a fan of ?- or perhaps ?~. Looking forward to hearing some feedback on this idea. Cheers, Charlie.
Re: [PHP-DEV] HTML escaped short echo tag
On Sun, Oct 21, 2012 at 2:35 PM, Charlie Somerville char...@charliesomerville.com wrote: Hi internals, I'd like to propose a new short tag that echos with HTML escaping. XSS is still a significant problem for PHP apps, but it is less common in apps written with frameworks that provide automatic HTML escaping. However, many developers are still writing straight PHP without any framework and a feature like this in PHP itself could prove to be incredibly handy. One approach I sometimes use is defining a global function called h() which passes its argument through htmlspecialchars(). This works well, but it still adds a little bit of unwanted mental and typing overhead. Since escaping is desired the vast majority of the time , I'd like to see a short tag for outputting with escaping. This tag could become the de facto standard for echoing data, with ?= being seen as the more dangerous alternative. The new tag should be just as short and easy to type as ?=. Personally I'm a fan of ?- or perhaps ?~. Looking forward to hearing some feedback on this idea. How do you propose we customise the escaping of such things, using htmlentities() or htmlspecialchars? What about the ENT_QUOTES options, or the charset to be used (UTF-8)? If you standardise such functionality then you'll need to have a callback executed. I'm personally not a fan of your new syntax because it ass more variations to the way PHP is invoked and outputting information, but perhaps a generic escape() function is in order. Maybe you're onto something, but I feel the new php-invoking syntax isn't the way to go about it. - Paul. Cheers, Charlie.
Re: [PHP-DEV] HTML escaped short echo tag
How do you propose we customise the escaping of such things, using htmlentities() or htmlspecialchars? What about the ENT_QUOTES options, or the charset to be used (UTF-8)? htmlspecialchars() with ENT_QUOTES and UTF-8 should be sufficient. I'm personally not a fan of your new syntax because it ass more variations to the way PHP is invoked and outputting information, but perhaps a generic escape() function is in order. Maybe you're onto something, but I feel the new php-invoking syntax isn't the way to go about it. To clarify - I'm not proposing any new functionality. I'm specifically proposing new syntax for existing functionality. I don't really see what benefits a generic escape() function would bring. The idea of this proposal is that it makes escaping just as easy as not escaping. At the moment many developers have a mindset of deciding whether or not they should escape something. I'd like to see that change to a mindset of specifically deciding not to escape a certain bit of output - and having an automatic escaping syntax will help that. On Monday, 22 October 2012 at 12:44 AM, Paul Dragoonis wrote: On Sun, Oct 21, 2012 at 2:35 PM, Charlie Somerville char...@charliesomerville.com (mailto:char...@charliesomerville.com) wrote: Hi internals, I'd like to propose a new short tag that echos with HTML escaping. XSS is still a significant problem for PHP apps, but it is less common in apps written with frameworks that provide automatic HTML escaping. However, many developers are still writing straight PHP without any framework and a feature like this in PHP itself could prove to be incredibly handy. One approach I sometimes use is defining a global function called h() which passes its argument through htmlspecialchars(). This works well, but it still adds a little bit of unwanted mental and typing overhead. Since escaping is desired the vast majority of the time , I'd like to see a short tag for outputting with escaping. This tag could become the de facto standard for echoing data, with ?= being seen as the more dangerous alternative. The new tag should be just as short and easy to type as ?=. Personally I'm a fan of ?- or perhaps ?~. Looking forward to hearing some feedback on this idea. How do you propose we customise the escaping of such things, using htmlentities() or htmlspecialchars? What about the ENT_QUOTES options, or the charset to be used (UTF-8)? If you standardise such functionality then you'll need to have a callback executed. I'm personally not a fan of your new syntax because it ass more variations to the way PHP is invoked and outputting information, but perhaps a generic escape() function is in order. Maybe you're onto something, but I feel the new php-invoking syntax isn't the way to go about it. - Paul. Cheers, Charlie.
Re: [PHP-DEV] HTML escaped short echo tag
Hi! I'd like to propose a new short tag that echos with HTML escaping. What is HTML escaping? Different contexts need different escaping. For outside tags it's one escaping, for tag attribute it's another, for JS code context - yet another. Selecting just one use case and integrating it into the language is a bad idea - since you are basically saying everybody should use this specific case in any case, which is wrong. The new tag should be just as short and easy to type as ?=. Personally I'm a fan of ?- or perhaps ?~. Personally I'm hugely *not* a fan of more obscure syntax in PHP. Especially one that will quickly lead people into writing insecure code because of applying wrong escaping function for the context. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] HTML escaped short echo tag
Personally I'm hugely *not* a fan of more obscure syntax in PHP. I agree with this sentiment. I think the traditional simplicity of PHP's syntax has been one of its greatest traits. I'm not a fan of all of this type of alternate syntax that has been steadily added. Bryan
Re: [PHP-DEV] HTML escaped short echo tag
On Sun, Oct 21, 2012 at 1:01 PM, Stas Malyshev smalys...@sugarcrm.com wrote: Hi! I'd like to propose a new short tag that echos with HTML escaping. What is HTML escaping? Different contexts need different escaping. For outside tags it's one escaping, for tag attribute it's another, for JS code context - yet another. Selecting just one use case and integrating it into the language is a bad idea - since you are basically saying everybody should use this specific case in any case, which is wrong. The new tag should be just as short and easy to type as ?=. Personally I'm a fan of ?- or perhaps ?~. Personally I'm hugely *not* a fan of more obscure syntax in PHP. Especially one that will quickly lead people into writing insecure code because of applying wrong escaping function for the context. I completely agree. Adding a new syntax for automatic escaping (even if configurable -- yay more php.ini!) is not going to change anyone's mindset from defensive to offensive stance in my opinion. If you have a template which generates javascript, css, and x/html all from the same PHP file you get a lot of confusing having to deal with some new syntax where users now have to be considerate of what output syntax decides on what escape method. For this most user-space implementations (frameworks like you mentioned) do a fine job of identifying these common use cases and providing a common solution. There's the taint approach which could allow a framework to automatically figure out which variables are tainted and should be escaped and which aren't and can pass through cleanly. PHP doesn't need to get in the way here. I think the existing userland implementations should do fine if they get it right. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
