[wp-trac] [WordPress Trac] #53465: PHP 8.1.: the default value of the flags parameter for htmlentities() et all needs to be explicitly set

Fri Apr 5 23:00:43 UTC 2024

#53465: PHP 8.1.: the default value of the flags parameter for htmlentities() et
all needs to be explicitly set
-------------------------------------+-------------------------------------
 Reporter:  jrf                      |       Owner:  hellofromTonya
     Type:  task (blessed)           |      Status:  assigned
 Priority:  normal                   |   Milestone:  6.6
Component:  General                  |     Version:
 Severity:  normal                   |  Resolution:
 Keywords:  php81 has-patch has-     |     Focuses:  coding-standards, php-
  unit-tests                         |  compatibility
-------------------------------------+-------------------------------------

Comment (by SergeyBiryukov):

 Replying to [ticket:53465 jrf]:
 > From the PHP 8.1 changelog:
 >
 > > `htmlspecialchars()`, `htmlentities()`, `htmlspecialchars_decode()`,
 > > `html_entity_decode()` and `get_html_translation_table()` now use
 > > `ENT_QUOTES | ENT_SUBSTITUTE` rather than `ENT_COMPAT` by default.
 This means
 > > that `'` is escaped to `'` while previously it was left alone.
 > > Additionally, malformed UTF-8 will be replaced by a Unicode
 substitution
 > > character, instead of resulting in an empty string.
 > ...
 > To fix this issue, the `$flags` parameter should be explicitly passed in
 each of these function calls.

 I had a question while revisiting this ticket and PR: What about the
 instances where this change is not relevant, e.g.:
 * `'` or malformed UTF-8 would never occur under normal circumstances.
 * They might occur, but the escaping would not make any difference.

 For example, instances like `htmlentities( __( 'Unknown Feed' ) )`. Do we
 still need to add the `$flags` parameter there?

 > Some investigation will be needed for each of these instances to
 determine what will be the optimal value for `$flags`.
 >
 > Take note that the "old" parameter default in the function signature is
 documented as `ENT_COMPAT`, while in the parameter detail documentation,
 it states that the default, in actual fact, is ` ENT_COMPAT |
 ENT_HTML401`.

 The current draft PR adds `ENT_COMPAT | ENT_HTML401` to most of the
 instances to keep the current behavior, whether or not the change is
 relevant to that particular instance. In some cases, it replaces the
 function call altogether with a more appropriate function.

 Should there be any additional considerations when determining the optimal
 value for `$flags`?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/53465#comment:27>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform