|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #62574 New operator for htmlspecialchars
Submitted: 2012-07-16 04:07 UTC Modified: 2016-06-11 11:02 UTC
Avg. Score:4.5 ± 1.3
Reproduced:5 of 6 (83.3%)
Same Version:4 (80.0%)
Same OS:4 (80.0%)
From: thbley at gmail dot com Assigned:
Status: Suspended Package: *General Issues
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-07-16 04:07 UTC] thbley at gmail dot com
echo htmlspecialchars($str, ENT_QUOTES);
<?= htmlspecialchars($str, ENT_QUOTES) ?>

echo <$str>;
<?= <$str> ?>

<?+ $str ?>


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-04 18:06 UTC] ajf at ajf dot me
You can escape things ahead-of-time, you know. In fact, I have a feeling you 
could use foreach to traverse the symtable and escape everything. (don't do that 
though, that's a horrendous idea)
 [2012-09-04 18:15 UTC] ajf at ajf dot me
(I'm all for this though, I'm just pointing out other options)
 [2012-10-26 19:07 UTC] dagguh at gmail dot com
This is valid.

You should never dop anything "ahead-of-time" in programming. You shoudl escape a 
variable right before passing it to en environment, that requires this form of 
 [2012-10-26 19:24 UTC] ajf at ajf dot me
@dagguh: What? I'm just suggesting exporting variables into the global namespace, and escaping them in the process, for templating purposes.
 [2012-12-05 23:12 UTC] chuyu at microsoft dot com
I was thinking the same thing. 

One advantage of using some template engines(twig, phptal) is that they automatically escape html characters during output. Many people use these template engine simply for that due to XSS worries. However if we have such an operator, then we create a simple php native template engine(which I'm all for), and in the template always use this operator to prevent XSS.

I would suggest to make the operator like <?~ $var ?>, the reason is that ~ is often located near the 'ESC' on the keyboard, so it feels more like escape :-)
 [2012-12-05 23:26 UTC] thbley at gmail dot com
So we have these use cases:
- output unmodified content <?= $str ?>
- output htmlspecialchars escaped content <?+ $str ?> or <?~ $str ?>
- output strip_tags <?- $str ?>
- output intval <?# $str ?>
 [2012-12-05 23:35 UTC] thbley at gmail dot com
and maybe:
- output htmlspecialchars+basename <?/ $file ?>
 [2016-06-11 05:44 UTC] michael dot vostrikov at gmail dot com
I also vote for this feature. There are a lot of projects which do not use a templating engine - for historical reasons or which are written on frameworks without built-in templating engine.
I wanted to suggest the variant like "<?== $str ?>", but I've read the comments and I like more the variant like "<?~ $str ?>". It is quite easy to type, and there is a less possibility to write "<?= ?>" instead.

In PHP 7 there are new operators and other changes. I think, new echo operator also can be added.
 [2016-06-11 11:02 UTC]
-Status: Open +Status: Suspended
 [2016-06-11 11:02 UTC]
Such a feature would require the RFC process.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Oct 25 05:03:32 2021 UTC