Re: [VOTE] Improve HTML escape

From:	Yasuo Ohgaki	Date:	Thu, 20 Feb 2014 21:57:14 +0000
Subject:	Re: [VOTE] Improve HTML escape
References:	1 2	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi Angel,

On Fri, Feb 21, 2014 at 5:43 AM, Ángel González <[email protected]> wrote:

> I see the point to change the default value, but I don't think PHP should
> ignore the flags requesting a specific behavior.


It's better to escape all chars always. IMHO. It's safer. Code will be a
little simpler, too.

However, it is understandable. We have

 - ENT_NOQUOTES (skip escaping quotes - this is NOT deprecated)
 - ENT_COMPAT (escape only " - deprecation is proposed)
 - ENT_QUOTES (escape " and ' - deprecation is proposed)

Deprecation can be dropped and it's possible to honor all of these. I
proposed deprecation since I could not think of use case other than test
program compatibility. Are there use cases?

I don't mind adding

 - ENT_SINGLE(escape only ')
 - ENT_DOUBLE(escape only ". Same as ENT_COMPAT, but better name)

as HTML5 supports ", ' and no quotes for attributes. It seems good for
completeness. This would be issue for new RFC, though. I may write new RFC
for this when this is over if many of think this is better to have.

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (9 messages)

• Yasuo OhgakiMon, 17 Feb 2014 04:10:25 +0000
  • Ángel GonzálezThu, 20 Feb 2014 20:43:36 +0000
    • Yasuo OhgakiThu, 20 Feb 2014 21:57:14 +0000
      • Yasuo OhgakiThu, 20 Feb 2014 22:09:30 +0000
        • Lester CaineFri, 21 Feb 2014 12:19:57 +0000
          • Yasuo OhgakiSun, 23 Feb 2014 05:03:11 +0000
  • Ferenc KovacsMon, 24 Feb 2014 09:27:56 +0000
    • Peter CowburnMon, 03 Mar 2014 10:57:40 +0000
      • Yasuo OhgakiThu, 06 Mar 2014 20:27:05 +0000