php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #77378 Default to short_open_tags = false
Submitted: 2018-12-30 18:55 UTC Modified: 2019-01-02 09:29 UTC
From: olafvdspek at gmail dot com Assigned:
Status: Open Package: *General Issues
PHP Version: All OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-12-30 18:55 UTC] olafvdspek at gmail dot com
Description:
------------
AFAIK the recommendation has been false for quite some time but the default (and docs) don't reflect this. Could this inconsistency be rectified?

http://php.net/manual/en/ini.core.php#ini.short-open-tag

https://github.com/oerdnj/deb.sury.org/issues/1043


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-30 19:00 UTC] spam2 at rhsoft dot net
there are two things:

* it's recommended for years to tun it off
* turning it off has security risks

when you change that default on any existing environment you probably leak code and credentials without taking notice

if you care your "php.ini" would have it disabled for years and if you don#t care changing the default only introduces problems with no gain
 [2018-12-31 02:13 UTC] olafvdspek at gmail dot com
> there are two things:

http://php.net/manual/en/ini.core.php#ini.short-open-tag doesn't mention any of this.

> when you change that default on any existing environment you probably leak code and credentials without taking notice

That's already the case with the php.ini change.
 [2018-12-31 04:53 UTC] spam2 at rhsoft dot net
in which world is when "you change the default" the same as "That's already the case with the php.ini change"?
 [2018-12-31 10:31 UTC] olafvdspek at gmail dot com
In a world where the effective value is set in php.ini rather then the php binary for a majority of users.

If you're really afraid of changing the default there's a third option: remove the default and require the value to be explicitly set.
 [2019-01-02 09:16 UTC] nikic@php.net
The summarize the current situation, because it's rather odd:

 * In both php.ini-production and php.ini-development short_open_tag is off.
 * The default value (without ini) is short_open_tag=on *unless* --disable-short-tags has been specified during ./configure. On Windows there doesn't seem to be an equivalent for --disable-short-tags, so on Windows the default is always on.

I agree that the current situation is quite odd. It would probably make sense to make short_open_tag=off the default and convert --disable-short-tags into --enable-short-tags for people who would like to influence the default.
 [2019-01-02 09:22 UTC] olafvdspek at gmail dot com
Does --disable-short-tags 'only' change the default or does it disable short tags unconditionally, even if short_open_tags = true in the .ini?
 [2019-01-02 09:27 UTC] nikic@php.net
@olafvdspek It only changes the default. The ini setting still wins in the end.

I've sent a mail to internals regarding this issue: https://marc.info/?l=php-internals&m=154642087106001
 [2019-01-02 09:29 UTC] nikic@php.net
-PHP Version: 7.3.0 +PHP Version: All
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Apr 19 20:01:25 2019 UTC