php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #67734 Add output escaping specifiers to sprintf etc.
Submitted: 2014-08-01 08:16 UTC Modified: 2020-11-13 10:42 UTC
From: marcus at synchromedia dot co dot uk Assigned:
Status: Suspended Package: Strings related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
 [2014-08-01 08:16 UTC] marcus at synchromedia dot co dot uk
Description:
------------
sprintf, vsprintf etc have numerous different specifiers for numbers, but only a single generic 'string' option for strings with %s. It would be useful to have additional options for escaping values, for example with URL encoding or HTML escaping. You might say that you can achieve this by applying escaping functions to the variables you pass in, which is correct, but in the interests of DRY, it's much tidier if the printing function can do this itself - and after all there is a clear precedent in the form of all the numeric options for which you could say the same.

It might be interesting to provide SQL escaping specifiers, since PDO doesn't provide a complete implementation for this, thoughit may be difficult to pass in a connection reference in a clean way.

Test script:
---------------
The current implementation looks like this:

echo sprintf('<a href="%s?linkname=%s">%s</a>', 'myscript.php', rawurlencode('> my link'), htmlentities('> my link', ENT_QUOTES));

Assuming the %h specifier applies URL-encoding, and the %H specifier applies HTML escaping:

echo sprintf('<a href="%1$s?linkname=%2$h">%2$H</a>', 'myscript.php', '> my link');

Result:

<a href="myscript.php?linkname=%3E%20my%20link">&gt; my link</a>


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-13 10:42 UTC] cmb@php.net
-Status: Open +Status: Suspended
 [2020-11-13 10:42 UTC] cmb@php.net
In my opinion, this is best left to userland (libraries), because
there may just be too many (slightly) different
requirements/demands.  If you feel strongly that this should be
part of PHP core, please forward your request to the internals
mailing list for discussion.  For the time being, I'm suspending
this ticket.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 13:01:31 2024 UTC