php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #62574 New operator for htmlspecialchars
Submitted: 2012-07-16 04:07 UTC Modified: 2016-06-11 11:02 UTC
Votes:8
Avg. Score:4.5 ± 1.3
Reproduced:5 of 6 (83.3%)
Same Version:4 (80.0%)
Same OS:4 (80.0%)
From: thbley at gmail dot com Assigned:
Status: Suspended Package: *General Issues
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-07-16 04:07 UTC] thbley at gmail dot com
Description:
------------
old:
<?php
echo htmlspecialchars($str, ENT_QUOTES);
<?= htmlspecialchars($str, ENT_QUOTES) ?>

new:
echo <$str>;
<?= <$str> ?>

or:
<?+ $str ?>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-04 18:06 UTC] ajf at ajf dot me
You can escape things ahead-of-time, you know. In fact, I have a feeling you 
could use foreach to traverse the symtable and escape everything. (don't do that 
though, that's a horrendous idea)
 [2012-09-04 18:15 UTC] ajf at ajf dot me
(I'm all for this though, I'm just pointing out other options)
 [2012-10-26 19:07 UTC] dagguh at gmail dot com
This is valid.

@ajf:
You should never dop anything "ahead-of-time" in programming. You shoudl escape a 
variable right before passing it to en environment, that requires this form of 
escaping
 [2012-10-26 19:24 UTC] ajf at ajf dot me
@dagguh: What? I'm just suggesting exporting variables into the global namespace, and escaping them in the process, for templating purposes.
 [2012-12-05 23:12 UTC] chuyu at microsoft dot com
I was thinking the same thing. 

One advantage of using some template engines(twig, phptal) is that they automatically escape html characters during output. Many people use these template engine simply for that due to XSS worries. However if we have such an operator, then we create a simple php native template engine(which I'm all for), and in the template always use this operator to prevent XSS.

I would suggest to make the operator like <?~ $var ?>, the reason is that ~ is often located near the 'ESC' on the keyboard, so it feels more like escape :-)
 [2012-12-05 23:26 UTC] thbley at gmail dot com
So we have these use cases:
- output unmodified content <?= $str ?>
- output htmlspecialchars escaped content <?+ $str ?> or <?~ $str ?>
- output strip_tags <?- $str ?>
- output intval <?# $str ?>
 [2012-12-05 23:35 UTC] thbley at gmail dot com
and maybe:
- output htmlspecialchars+basename <?/ $file ?>
 [2016-06-11 05:44 UTC] michael dot vostrikov at gmail dot com
I also vote for this feature. There are a lot of projects which do not use a templating engine - for historical reasons or which are written on frameworks without built-in templating engine.
I wanted to suggest the variant like "<?== $str ?>", but I've read the comments and I like more the variant like "<?~ $str ?>". It is quite easy to type, and there is a less possibility to write "<?= ?>" instead.

In PHP 7 there are new operators and other changes. I think, new echo operator also can be added.
 [2016-06-11 11:02 UTC] requinix@php.net
-Status: Open +Status: Suspended
 [2016-06-11 11:02 UTC] requinix@php.net
Such a feature would require the RFC process. https://wiki.php.net/rfc/howto
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC