Re: [VOTE] Improve HTML escape
Hi Lester,
On Fri, Feb 21, 2014 at 9:19 PM, Lester Caine <[email protected]> wrote:
> Yasuo Ohgaki wrote:
>
>> >I don't mind adding
>>> >
>>> > - ENT_SINGLE(escape only ')
>>> > - ENT_DOUBLE(escape only ". Same as ENT_COMPAT, but better name)
>>> >
>>> >as HTML5 supports ", ' and no quotes for attributes. It seems good for
>>> >completeness. This would be issue for new RFC, though. I may write new
>>> RFC
>>> >for this when this is over if many of think this is better to have.
>>> >
>>>
>> Correction.
>> To control escape fully, we need
>>
>> - ENT_SINGLE(escape only ' )
>> - ENT_DOUBLE(escape only ". Same as ENT_COMPAT, but better name)
>> - ENT_AMP(escape only & )
>> - ENT_SEMI_COLON(escape only ; )
>> - ENT_SLASH(escape only / )
>>
>> It seems too much...
>>
>
> Yasuo
> I think the problem here is that there is not a single 'good' answer here?
> If there was a single combination that worked for everything then there
> would not be a problem, but some legacy installations will be broken by
> htmlspecialchars() and htmlspecialchars_decode() now returning different
> results? Some changes were only introduced in 5.4.0 and need to be
> assimilated to allow further changes to happen cleanly?
Decoding should be a problem, but I'll be careful about it.
Regards,
--
Yasuo Ohgaki
[email protected]
Thread (9 messages)