[zemnmez]

I want to second this. The top StackOverflow comment for protecting against XSS in PHP still recommends htmlspecialchars() https://stackoverflow.com/questions/1996122/how-to-prevent-x... which is a terrible and ancient approach (context-aware templates are the modern approach).

I also Googled to check CSRF protection and all the sites I can find just discuss rolling it yourself; the example uses some CSPRNG that can potentially return not cryptographically secure numbers without erroring. https://www.section.io/engineering-education/csrf-protection...

That's one thing that really drove me away from PHP. It presents an extremely simple seeming universe, in which web apps are very easy to write – but has really naïve bones, requiring a lot of extra scaffolding to be safe.

[deanc]

You don't get XSS protection out the box from any language's standard library, nor CSRF.

[Flimm]

You do get XSS protection out of the box in most templating languages, though, and PHP is also a templating language.

Take this template:

  <h1>{{ title }}</h1>

In most templating languages, for a title of "<script>alert();</script>", the result will end up being:

  <h1>&lt;script&gt;alert();&lt;/script&gt;</h1>

In PHP, which is a templating language, the equivalent seems to be:

  <h1><?php echo $title; ?></h1>

But this will print the title unescaped, which is a security vulnerability, and incorrect. In reality, the equivalent is:

  <h1><?php echo htmlspecialchars($title); ?></h1>

Now, you could say, don't use PHP as a templating language! But if you're not supposed to use PHP as a templating language, why does it behave as one? This is one of PHP's footguns to be avoided. Personally, I recommend a linter like PHPCS to catch issues like this one.

[deanc]

Templating languages are abstractions on top of other technologies. I don't see how PHP is a templating language. I could write that exact same code above in NodeJS and I'd need to use mustache to escape the output. So you can make the same mistakes in Node, Python.

Nobody writes PHP mixing HTML and PHP anymore, and if you do you should run. Shit code is not unique to PHP and I've seen more than my life's share in JS and Python codebases.

[ptx]

> I don't see how PHP is a templating language [...] Nobody writes PHP mixing HTML and PHP anymore

PHP is designed to be a template language, but it's a terrible template language, so nobody (it is claimed) uses it as it was originally designed to be used anymore.

So "use PHP" is not good advice if what you mean is "use a web framework and a separate third-party template language", which works just as well in any language and doesn't give PHP any particular advantage.

[frou_dh]

Tangential, but I've always found Mustache's tagline "logic-less templates" confusing - what they mean is that the template language doesn't have control flow. Logic is not a synonym of control flow in my mind.

[zelphirkalt]

Well, of course not from any lang that treats HTML as a string, but there are langs, which treat HTML as structured data, in their standard libraries. Take a look at SXML libraries for example. Whatever script you stored as a username for example, it would still get treated as text, not tag, when put into lets say a span or p. SXML is aware of the boundary between tags, their attributes and their content.

[deanc]

I googled SXML and it appears to be have implementation libraries in lots of languages. This is not the core language's standard library.

[zelphirkalt]

What do you put as the distinguishing feature between "core language standard library" and "comes with the language at installation"?

Some example: https://www.gnu.org/software/guile/manual/html_node/Reading-... (no installation of anything third party required)

[deanc]

Alright, let's go with widely-used programming languages for now - I've been programming for over 20 years and never heard of Guile.

I am not against the idea of having native protections built into stdlib, we can agree there, but it's disingenuous to suggest that this problem is unique to PHP as the parent comment suggested. It's the same in all of the major programming languages used to spit out HTML as far as I can tell.

[zelphirkalt]

Oh, very much so. I don't doubt it. Most of them are doing it wrong, fiddling with strings, instead of structured data, which HTML would lend itself really nicely to. Especially PHP, with its "output HTML" in-built mentality should have gotten it right, but did not. Many others did not do any better.