調査。 PHPでエスケープするHTMLデータの新しい<？〜$ Value？>タグ

PHP7. , , HTML- . . , , , , CMS, , . .

, . , , .





<?~ $value ?>



<?= htmlspecialchars($value, ENT_QUOTES) ?>



. - , . , PHP- . <?= h($value) ?>



, - , - .



bugs.php.net, feature request 2012 . <?~ ?>



, . , PHP7, , RFC.



PHP Internals list , .



:

marc.info/?t=145851323800001

marc.info/?t=135082660600002

marc.info/?t=144225546000001

marc.info/?t=101129596100006

wiki.php.net/rfc/escaper

wiki.php.net/rfc/taint

bugs.php.net/bug.php?id=62574

bugs.php.net/bug.php?id=20310

bugs.php.net/bug.php?id=16007

bugs.php.net/bug.php?id=3284



, -. — HTML/URL/JS/CSS — - , .



. , HTML . , JS CSS «» (escaping), . -.



.

<a href="/things/<?= $thing['name'] ?>" onclick="alert('<?= $thing['name'] ?>');">
    <?= $thing['name'] ?>
</a>

      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

, . . htmlspecialchars() .

<?php $thing = ['name' => 'Say "Hello")']; ?>

<a
    href="/things/<?= htmlspecialchars(urlencode($thing['name'])) ?>"
    onclick="alert(<?= htmlspecialchars(json_encode($thing['name']), ENT_QUOTES) ?>);"
>
    <?= htmlspecialchars($thing['name']) ?>
</a>

      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

, urlencode() HTML , htmlspecialchars(), htmlspecialchars() + urlencode() .



:

<?php
    $postData = ['contains_text' => 'Say "Hello")'];

    $filterUrl = '/my_route/?state=active';
    if ($postData['contains_text']) $filterUrl .= '&' . 'contains_text=' . urlencode($postData['contains_text']);
    $pageNumber = 1;
?>

<a
    href="<?= htmlspecialchars($filterUrl) ?>"
    onclick="alert(<?= htmlspecialchars(json_encode($postData['contains_text']), ENT_QUOTES) ?>);"
>
    <?= $pageNumber ?>
</a>

      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

- htmlspecialchars() style



script



.

1  HTML         ,    (  3 )
2  HTML + URL   href, action,    data-url
3  HTML + JS    on-event - onclick, onkeypress  ..
4  HTML + CSS   style
5  URL         -
6  JS           <script></script>
7  CSS          <style></style>
8  non-HTML          ,    .

      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

5 — HTML- , .

6 — , , html-. PHP+JS , data-, . htmlspecialchars().

7 — , PHP .

8 — .



, HTML , . , , .



<?~ ?>



«php.ini» . , Shift, <?= ?>



, . - htmlspecialchars()



, . , <?php echo htmlspecialchars($str, ENT_QUOTES) ?>



, <?= ?>



<?php echo $str; ?>







UPD:





:

RFC: https://wiki.php.net/rfc/escaping_operator

: github

: http://marc.info/?t=146619199100001

RFC: http://marc.info/?t=146868366400003





. , , Twig Symfony, N API, , . . , .



.