> In other languages you can't get that without using a standard library that will escape the values by default.
Escape for what context?
Escaping for SQL is different from escaping for HTML, which in turn is different from escaping for JS.
How does your hypothetical Request object know how to escape any given variable? Does it ping every open database handle to figure out how they want their data escaped? Does it use some kind of static analysis to figure out in what format (HTML? XML? JSON? CSV?) the app is going to spit out the value later on?
Or does it simply run a bunch of cargo-cult functions like
Escape for what context?
Escaping for SQL is different from escaping for HTML, which in turn is different from escaping for JS.
How does your hypothetical Request object know how to escape any given variable? Does it ping every open database handle to figure out how they want their data escaped? Does it use some kind of static analysis to figure out in what format (HTML? XML? JSON? CSV?) the app is going to spit out the value later on?
Or does it simply run a bunch of cargo-cult functions like
and hope that everything will be okay?