[wp-trac] [WordPress Trac] #53465: PHP 8.1.: the default value of the flags parameter for htmlentities() et all needs to be explicitly set

WordPress Trac noreply at wordpress.org
Wed Mar 5 13:40:18 UTC 2025 

#53465: PHP 8.1.: the default value of the flags parameter for htmlentities() et
all needs to be explicitly set
-------------------------------------------------+-------------------------
 Reporter:  jrf                                  |       Owner:  (none)
     Type:  task (blessed)                       |      Status:  assigned
 Priority:  normal                               |   Milestone:  6.8
Component:  General                              |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  php81 has-patch has-unit-tests 2nd-  |     Focuses:  php-
  opinion changes-requested                      |  compatibility
-------------------------------------------------+-------------------------
Changes (by johnbillion):

 * keywords:  php81 has-patch has-unit-tests => php81 has-patch has-unit-
     tests 2nd-opinion changes-requested
 * focuses:  coding-standards, php-compatibility => php-compatibility


Comment:

 To reiterate the point that Joe is making, PHP 8.1 was released over three
 years ago and just shy of 50% of sites are now running PHP 8.1+. If the
 proposed change was to be made now, it would actually revert nearly 50% of
 sites to the previous behaviour which, for the most part, means single
 quotes that are encoded would no longer be encoded. I think this risks a
 greater negative effect than keeping the default behaviour.

 I think one of the following approaches should be taken:

 1. Leave everything as-is, unless specific cases are known where an
 encoded single quote is undesirable. This means there will remain a
 difference in behaviour between sites on PHP 8.1+ and <8.1, which is the
 situation that we have lived with for the last three years.
 2. Do the opposite of the proposed change, which is to move to at least
 `ENT_QUOTES` so single quotes are encoded and decoded, which is the
 default behaviour in PHP 8.1+ and arguably safer as it protects against
 breaking out of single quoted attribute values.

 I am tempted to suggest closing this as wontfix, but I appreciate that
 being more explicit might be preferable.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/53465#comment:37>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list