Re: [VOTE] Improve HTML escape
Yasuo Ohgaki wrote:
I don't mind adding
- ENT_SINGLE(escape only ')
- ENT_DOUBLE(escape only ". Same as ENT_COMPAT, but better name)
as HTML5 supports ", ' and no quotes for attributes. It seems good for
completeness. This would be issue for new RFC, though. I may write new RFC
for this when this is over if many of think this is better to have.
Correction.
To control escape fully, we need
- ENT_SINGLE(escape only ' )
- ENT_DOUBLE(escape only ". Same as ENT_COMPAT, but better name)
- ENT_AMP(escape only & )
- ENT_SEMI_COLON(escape only ; )
- ENT_SLASH(escape only / )
It seems too much...
Yasuo
I think the problem here is that there is not a single 'good' answer here? If there was a single combination that worked for everything then there would not be a problem, but some legacy installations will be broken by htmlspecialchars() and htmlspecialchars_decode() now returning different results? Some changes were only introduced in 5.4.0 and need to be assimilated to allow further changes to happen cleanly?
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
Thread (9 messages)