php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #62574 New operator for htmlspecialchars
Submitted: 2012-07-16 04:07 UTC Modified: 2016-06-11 11:02 UTC
Votes:8
Avg. Score:4.5 ± 1.3
Reproduced:5 of 6 (83.3%)
Same Version:4 (80.0%)
Same OS:4 (80.0%)
From: thbley at gmail dot com Assigned:
Status: Suspended Package: *General Issues
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
9 - 9 = ?
Subscribe to this entry?

 
 [2012-07-16 04:07 UTC] thbley at gmail dot com 
Description:
------------
old:
<?php
echo htmlspecialchars($str, ENT_QUOTES);
<?= htmlspecialchars($str, ENT_QUOTES) ?>

new:
echo <$str>;
<?= <$str> ?>

or:
<?+ $str ?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-04 18:06 UTC] ajf at ajf dot me 
You can escape things ahead-of-time, you know. In fact, I have a feeling you 
could use foreach to traverse the symtable and escape everything. (don't do that 
though, that's a horrendous idea)
 [2012-09-04 18:15 UTC] ajf at ajf dot me 
(I'm all for this though, I'm just pointing out other options)
 [2012-10-26 19:07 UTC] dagguh at gmail dot com 
This is valid.

@ajf:
You should never dop anything "ahead-of-time" in programming. You shoudl escape a 
variable right before passing it to en environment, that requires this form of 
escaping
 [2012-10-26 19:24 UTC] ajf at ajf dot me 
@dagguh: What? I'm just suggesting exporting variables into the global namespace, and escaping them in the process, for templating purposes.
 [2012-12-05 23:12 UTC] chuyu at microsoft dot com 
I was thinking the same thing. 

One advantage of using some template engines(twig, phptal) is that they automatically escape html characters during output. Many people use these template engine simply for that due to XSS worries. However if we have such an operator, then we create a simple php native template engine(which I'm all for), and in the template always use this operator to prevent XSS.

I would suggest to make the operator like <?~ $var ?>, the reason is that ~ is often located near the 'ESC' on the keyboard, so it feels more like escape :-)
 [2012-12-05 23:26 UTC] thbley at gmail dot com 
So we have these use cases:
- output unmodified content <?= $str ?>
- output htmlspecialchars escaped content <?+ $str ?> or <?~ $str ?>
- output strip_tags <?- $str ?>
- output intval <?# $str ?>
 [2012-12-05 23:35 UTC] thbley at gmail dot com 
and maybe:
- output htmlspecialchars+basename <?/ $file ?>
 [2016-06-11 05:44 UTC] michael dot vostrikov at gmail dot com 
I also vote for this feature. There are a lot of projects which do not use a templating engine - for historical reasons or which are written on frameworks without built-in templating engine.
I wanted to suggest the variant like "<?== $str ?>", but I've read the comments and I like more the variant like "<?~ $str ?>". It is quite easy to type, and there is a less possibility to write "<?= ?>" instead.

In PHP 7 there are new operators and other changes. I think, new echo operator also can be added.
 [2016-06-11 11:02 UTC] requinix@php.net
-Status: Open +Status: Suspended
 [2016-06-11 11:02 UTC] requinix@php.net 
Such a feature would require the RFC process. https://wiki.php.net/rfc/howto
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 06:01:28 2024 UTC