go to bug id or search bugs for
echo htmlspecialchars($str, ENT_QUOTES);
<?= htmlspecialchars($str, ENT_QUOTES) ?>
<?= <$str> ?>
<?+ $str ?>
Add a Patch
Add a Pull Request
You can escape things ahead-of-time, you know. In fact, I have a feeling you
could use foreach to traverse the symtable and escape everything. (don't do that
though, that's a horrendous idea)
(I'm all for this though, I'm just pointing out other options)
This is valid.
You should never dop anything "ahead-of-time" in programming. You shoudl escape a
variable right before passing it to en environment, that requires this form of
@dagguh: What? I'm just suggesting exporting variables into the global namespace, and escaping them in the process, for templating purposes.
I was thinking the same thing.
One advantage of using some template engines(twig, phptal) is that they automatically escape html characters during output. Many people use these template engine simply for that due to XSS worries. However if we have such an operator, then we create a simple php native template engine(which I'm all for), and in the template always use this operator to prevent XSS.
I would suggest to make the operator like <?~ $var ?>, the reason is that ~ is often located near the 'ESC' on the keyboard, so it feels more like escape :-)
So we have these use cases:
- output unmodified content <?= $str ?>
- output htmlspecialchars escaped content <?+ $str ?> or <?~ $str ?>
- output strip_tags <?- $str ?>
- output intval <?# $str ?>
- output htmlspecialchars+basename <?/ $file ?>
I also vote for this feature. There are a lot of projects which do not use a templating engine - for historical reasons or which are written on frameworks without built-in templating engine.
I wanted to suggest the variant like "<?== $str ?>", but I've read the comments and I like more the variant like "<?~ $str ?>". It is quite easy to type, and there is a less possibility to write "<?= ?>" instead.
In PHP 7 there are new operators and other changes. I think, new echo operator also can be added.
Such a feature would require the RFC process. https://wiki.php.net/rfc/howto