Poll. New Tag for HTML data escaping in PHP
PHP7. , , HTML- . . , , , , CMS, , . .
, . , , .
bugs.php.net, feature request 2012 .
PHP Internals list , .
:
marc.info/?t=145851323800001
marc.info/?t=135082660600002
marc.info/?t=144225546000001
marc.info/?t=101129596100006
wiki.php.net/rfc/escaper
wiki.php.net/rfc/taint
bugs.php.net/bug.php?id=62574
bugs.php.net/bug.php?id=20310
bugs.php.net/bug.php?id=16007
bugs.php.net/bug.php?id=3284
, -. — HTML/URL/JS/CSS — - , .
. , HTML . , JS CSS «» (escaping), . -.
.
, . . htmlspecialchars() .
, urlencode() HTML , htmlspecialchars(), htmlspecialchars() + urlencode() .
:
- htmlspecialchars()
5 — HTML- , .
6 — , , html-. PHP+JS , data-, . htmlspecialchars().
7 — , PHP .
8 — .
, HTML , . , , .
UPD:
:
RFC: https://wiki.php.net/rfc/escaping_operator
: github
: http://marc.info/?t=146619199100001
RFC: http://marc.info/?t=146868366400003
. , , Twig Symfony, N API, , . . , .
.
, . , , .
<?~ $value ?> <?= htmlspecialchars($value, ENT_QUOTES) ?>. - , . , PHP- . <?= h($value) ?> , - , - .
bugs.php.net, feature request 2012 .
<?~ ?>, . , PHP7, , RFC.
PHP Internals list , .
:
marc.info/?t=145851323800001
marc.info/?t=135082660600002
marc.info/?t=144225546000001
marc.info/?t=101129596100006
wiki.php.net/rfc/escaper
wiki.php.net/rfc/taint
bugs.php.net/bug.php?id=62574
bugs.php.net/bug.php?id=20310
bugs.php.net/bug.php?id=16007
bugs.php.net/bug.php?id=3284
, -. — HTML/URL/JS/CSS — - , .
. , HTML . , JS CSS «» (escaping), . -.
.
<a href="/things/<?= $thing['name'] ?>" onclick="alert('<?= $thing['name'] ?>');">
<?= $thing['name'] ?>
</a>
, . . htmlspecialchars() .
<?php $thing = ['name' => 'Say "Hello")']; ?>
<a
href="/things/<?= htmlspecialchars(urlencode($thing['name'])) ?>"
onclick="alert(<?= htmlspecialchars(json_encode($thing['name']), ENT_QUOTES) ?>);"
>
<?= htmlspecialchars($thing['name']) ?>
</a>
, urlencode() HTML , htmlspecialchars(), htmlspecialchars() + urlencode() .
:
<?php
$postData = ['contains_text' => 'Say "Hello")'];
$filterUrl = '/my_route/?state=active';
if ($postData['contains_text']) $filterUrl .= '&' . 'contains_text=' . urlencode($postData['contains_text']);
$pageNumber = 1;
?>
<a
href="<?= htmlspecialchars($filterUrl) ?>"
onclick="alert(<?= htmlspecialchars(json_encode($postData['contains_text']), ENT_QUOTES) ?>);"
>
<?= $pageNumber ?>
</a>
- htmlspecialchars()
style script.
1 HTML , ( 3 )
2 HTML + URL href, action, data-url
3 HTML + JS on-event - onclick, onkeypress ..
4 HTML + CSS style
5 URL -
6 JS <script></script>
7 CSS <style></style>
8 non-HTML , .
5 — HTML- , .
6 — , , html-. PHP+JS , data-, . htmlspecialchars().
7 — , PHP .
8 — .
, HTML , . , , .
<?~ ?> «php.ini» . , Shift, <?= ?> , . - htmlspecialchars(), . , <?php echo htmlspecialchars($str, ENT_QUOTES) ?>, <?= ?> <?php echo $str; ?>
UPD:
:
RFC: https://wiki.php.net/rfc/escaping_operator
: github
: http://marc.info/?t=146619199100001
RFC: http://marc.info/?t=146868366400003
. , , Twig Symfony, N API, , . . , .
.
')
Source: https://habr.com/ru/post/304162/
All Articles