PHP :: Request #62574 :: New operator for htmlspecialchars

New operator for htmlspecialchars

Submitted:

2012-07-16 04:07 UTC

Modified:

2016-06-11 11:02 UTC

Votes:	8
Avg. Score:	4.5 ± 1.3
Reproduced:	5 of 6 (83.3%)
Same Version:	4 (80.0%)
Same OS:	4 (80.0%)

From:

thbley at gmail dot com

Assigned:

Status:

Suspended

Package:

*General Issues

PHP Version:

Irrelevant

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2012-07-16 04:07 UTC] thbley at gmail dot com

Description:
------------
old:
<?php
echo htmlspecialchars($str, ENT_QUOTES);
<?= htmlspecialchars($str, ENT_QUOTES) ?>

new:
echo <$str>;
<?= <$str> ?>

or:
<?+ $str ?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-09-04 18:06 UTC] ajf at ajf dot me

You can escape things ahead-of-time, you know. In fact, I have a feeling you 
could use foreach to traverse the symtable and escape everything. (don't do that 
though, that's a horrendous idea)

[2012-09-04 18:15 UTC] ajf at ajf dot me

(I'm all for this though, I'm just pointing out other options)

[2012-10-26 19:07 UTC] dagguh at gmail dot com

This is valid.

@ajf:
You should never dop anything "ahead-of-time" in programming. You shoudl escape a 
variable right before passing it to en environment, that requires this form of 
escaping

[2012-10-26 19:24 UTC] ajf at ajf dot me

@dagguh: What? I'm just suggesting exporting variables into the global namespace, and escaping them in the process, for templating purposes.

[2012-12-05 23:12 UTC] chuyu at microsoft dot com

I was thinking the same thing. 

One advantage of using some template engines(twig, phptal) is that they automatically escape html characters during output. Many people use these template engine simply for that due to XSS worries. However if we have such an operator, then we create a simple php native template engine(which I'm all for), and in the template always use this operator to prevent XSS.

I would suggest to make the operator like <?~ $var ?>, the reason is that ~ is often located near the 'ESC' on the keyboard, so it feels more like escape :-)

[2012-12-05 23:26 UTC] thbley at gmail dot com

So we have these use cases:
- output unmodified content <?= $str ?>
- output htmlspecialchars escaped content <?+ $str ?> or <?~ $str ?>
- output strip_tags <?- $str ?>
- output intval <?# $str ?>

[2012-12-05 23:35 UTC] thbley at gmail dot com

and maybe:
- output htmlspecialchars+basename <?/ $file ?>

[2016-06-11 05:44 UTC] michael dot vostrikov at gmail dot com

I also vote for this feature. There are a lot of projects which do not use a templating engine - for historical reasons or which are written on frameworks without built-in templating engine.
I wanted to suggest the variant like "<?== $str ?>", but I've read the comments and I like more the variant like "<?~ $str ?>". It is quite easy to type, and there is a less possibility to write "<?= ?>" instead.

In PHP 7 there are new operators and other changes. I think, new echo operator also can be added.

[2016-06-11 11:02 UTC] requinix@php.net

-Status: Open +Status: Suspended

[2016-06-11 11:02 UTC] requinix@php.net

Such a feature would require the RFC process. https://wiki.php.net/rfc/howto

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 11:01:28 2024 UTC