php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #3284 Add syntax extension to allow "htmlspecialchars($foo)" inside quoted strings
Submitted: 2000-01-22 16:00 UTC Modified: 2001-05-21 14:34 UTC
From: mike at morearty dot com Assigned:
Status: Closed Package: Feature/Change Request
PHP Version: 4.0 OS: FreeBSD
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2000-01-22 16:00 UTC] mike at morearty dot com 
This would be super, SUPER useful for everyone: a way to automatically expand (both in regular code AND in quoted strings):

  $|foo  [where "|" might be some other special
          punctuation character; you decide what
          character would work best]

to:

  htmlspecialchars($foo)

Here's why.  One of the most common bugs in CGI programming -- in PHP or any other language -- is constructs such as this:

  echo "<input type=text name=foo value='$foo'>
        <input type=text name=bar value='$bar'>";

In this case, "$foo" will be expanded.  However, there's a serious problem here: if $foo contains any of the special characters (< > & "), those characters will NOT be escaped, and thus the resulting HTML is broken!

The correct way to do this is the following mess:

  echo "<input type=text name=foo value='"
    . htmlspecialchars($foo)
    . "'><input type=text name=bar value='"
    . htmlspecialchars($bar)
    . "'>";

This is a big pain in the neck.  Basically, it means that the automatic expansion of variables inside quoted strings is WAY less useful than it would be otherwise.

My proposed syntax extension would make this way, way easier.  Here's how you would be able to write the above example:

  echo "<input type=text name=foo value='$|foo'>
        <input type=text name=bar value='$|bar'>";

This is MUCH cleaner.  Also, this feature would encourage correct code, because without this feature, many programmers frequently forget to call htmlspecialchars() because of the convenience of relying on string-expansion.

This extension would also help in other situations, such as these:

  // if $name == "A&J Market", some browsers
  // will not display what you want:
  echo "<p>Company name: $name</p>";  // This is WRONG!
  echo "<p>Company name: $|name</p>"; // This would be okay

  // if $email == "Joe Smith <joe@somewhere.com>",
  // most browsers will not display what you want:
  echo "Reply to $email";  // This is WRONG!
  echo "Reply to $|email"; // This would be okay

Also, an example when escaping from HTML mode:

  <form>
  <!-- this is WRONG: -->
  <input type=text name=foo value="<? echo $foo ?>">
  <!-- this would be okay: -->
  <input type=text name=foo value="<? echo $|foo ?>">

Note that in any context, $|foo would be an r-value, NOT an l-value (that is, you can't assign to it or pass it by reference).  For example, this is illegal:

  $|foo = "hi";     // illegal

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-02-10 14:00 UTC] jimw@php.net 
refiling against 4.0.
 [2001-05-20 23:57 UTC] jeroen@php.net 
This looks cool... I vote for it!

The syntax causes no broken things or whatever: currently, these syntaxes cause either parse-errors, or just print the $|foo literally, both not very likely to occur in current scripts ;)
 [2001-05-21 00:25 UTC] zeev@php.net 
This is quite against the spirit of PHP - we don't want to add arbitrary modifiers that perform arbitrary/unexpected behavior.

We could and probably should find a better name for htmlspecialchars() - perhaps to_html() or htmlize() or something along these lines.
 [2001-05-21 14:34 UTC] cynic@php.net 
my .02:

I don't like this. I thought PHP was going the "general-purpose" way, away from web-only area, not the other way around. This is a feature you can easily implement in e. g. Smarty. and btw, htmlspecialchars (the name) is fine IMO. descriptive and clear.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 23 22:01:31 2024 UTC