#57: Escape on echo and not around variables
Issue revisions
- new by Jordi Boggiano at 2010-F-20 20:07
- new by Jordi Boggiano at 2010-A-31 14:07
| Type |  bug |
|---|---|
| State |  new |
| Priority |  high |
| Resolution |  none |
| Assigned to | Nobody |
| Scheduled for | 1.2.0 |
| Affected versions | 1.1.1 |
| Affected components | Core |
| Last change | Tuesday 31 August 2010 14:07:39 UTC by Jordi Boggiano |
Short description
When auto-escape is turned on, the compiler should escape just before echo(), so that filters are not impacted and echo calls using multiple vars don't have to call htmlentities several times.
A flag should be set when a variable is used, and then unset if safe() is called, then the compiler adds htmlentities() around echo if the flag is set.
Jordi Boggiano at Tuesday 31 August 2010 14:06:47 UTC
Note that for safe() to remain safe, it would have to be only usable at the top level function. That means a BC break.
Jordi Boggiano at Tuesday 31 August 2010 14:07:39 UTC
Scheduled