Hi Xinchen,
On Tue, Jun 23, 2015 at 11:33 PM, Xinchen Hui <laruence@php.net> wrote:
> But passing an non-string to htmlspecialchars are not common used cases..
>
> "optimize" not common used cases... will bring nothing to us..
>
The reason why I brought up this now is scalar type hint.
Before PHP7, people didn't not care if data sent from browser is
actually a string. e.g. age, month, date, etc.
However, this optimization have more effects because of PHP7's type hint
that convert data type "always" and users must escape regardless of it's
type. Wrong date type assumption is common source of JavaScript injections.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
On Tue, Jun 23, 2015 at 11:33 PM, Xinchen Hui <laruence@php.net> wrote:
> But passing an non-string to htmlspecialchars are not common used cases..
>
> "optimize" not common used cases... will bring nothing to us..
>
The reason why I brought up this now is scalar type hint.
Before PHP7, people didn't not care if data sent from browser is
actually a string. e.g. age, month, date, etc.
However, this optimization have more effects because of PHP7's type hint
that convert data type "always" and users must escape regardless of it's
type. Wrong date type assumption is common source of JavaScript injections.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net