ZF2-125: Auto-escape feature should be removed

Issue Type: Improvement Created: 2011-12-29T12:01:46.000+0000 Last Updated: 2012-01-03T14:48:36.000+0000 Status: Resolved Fix version(s): Reporter: Juha Suni (zuhac) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend\View

Related issues: Attachments:



I just realized that you have implemented auto-escape feature in Zend\View component. Looking back in PHP history, and especially Magic Quotes, I must warn that this feature will cause huge debate in the future.

Consider, for example, a case where both scalar and array variables are passed to view. Scalars get escaped automatically, while the scalars in array don't. When someone reviews code like this, it is hard to tell which output is properly escaped and which is not.

I admit that it would be nice not have to escape every output using special method etc., but for me the old way ($this->escape() or similar) seems to be the best way.

I wouldn't even suggest making this feature configurable, but rather removing it altogether. I read the comments about this topic on ZF2 wiki and I didn't see a single post that would correctly address this issue (most of the folks don't seem to comprehend the difference between filtering input and escaping output anyway).


Posted by Matthew Weier O'Phinney (matthew) on 2012-01-03T14:48:36.000+0000

Please take this up on the mailing list, not in the issue tracker.

We have many good reasons for introducing auto-escaping, and many have been discussed in the past (the main reason it wasn't implemented in the v1 series is that by the time the discussion came up, we were already poised to release 1.0 stable).

If you feel strongly that auto-escaping should not be an option, then you need to outline your arguments on the mailing list, and allow for discussion.

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.