Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:105447 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 68549 invoked from network); 25 Apr 2019 18:45:23 -0000 Received: from unknown (HELO mail-ot1-f51.google.com) (209.85.210.51) by pb1.pair.com with SMTP; 25 Apr 2019 18:45:23 -0000 Received: by mail-ot1-f51.google.com with SMTP id c16so19830604otn.4 for ; Thu, 25 Apr 2019 08:46:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EPnk8nLery47fU8K9ZO4O3GAi+gk52pqD29bzgA/1SM=; b=OZbzqyj2V0TQ7l4qKEuB8xhnwL+9p81c13AZDevRKzvqYJGStifASDauNGCWCMxCaX ufNEhR36ShDYu7bN1T310IYcoBylsq16oAZ09JRvc1vy3TTa0KWVPDHDXykZG2WrHTx1 XWzfs4llv1dR8Yl1fH/3kg9Vxbey+zfiF8UPG9CA/Nz0Ehc583F6OZVdG799Eo0pAAyw 5HG+f9D7Ci0mbPVUhM9b9t650+r/KxZnq9/FAO/Rn1302irJlC7tPPvYVlNa/rTEIod7 jAKooX1ZyxYFnEld+mOcazGVgHcal8RBcCWFRH8BPhQH4I4Z+h9lewnLT4BmnvrI1rxD eY2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EPnk8nLery47fU8K9ZO4O3GAi+gk52pqD29bzgA/1SM=; b=cNhUBAON2MptqReeyRAPPDSJCKek12dzzm4NlYENS3389LnNOYg3K8kTdsweYWGEbI b2gHLtQX8Bu/GaIRMbrvcLHZDgv+ov/qdxDY+Z7fSf0SKgp8hsKeGBuFlIdqnHA/FKdE LKjyk/GAdaAgGiSLmpr9Zgj6G16yE/vbEgam/bwFLordmZUiZvwzttwzBBZMYA3HAQcy 2L0kJn+KUflMkQj08JcgzhsTyAUM0EulVJHgvjmyx64/MQzo9lHEsYkIQdIh4B6Kbqd8 fhnqMBmikHorVo54l3GfJBvFPITCz9iak71EZpYKbag/jf41v6y+rp/ZDnj4uIOJ8Byx fmRg== X-Gm-Message-State: APjAAAXJF7gBTYhtaoNNTPGYLXTvVqvWUZ6IyO2WOpgRJn6yRLRXRFLY Q9CpcD1i4iaXkAUR9Nh+tASNgAzIBluzaraJswE= X-Google-Smtp-Source: APXvYqxrN/jKuetm6XThNC7zZdfmvnN1Edy6JvPl5/WUtwHjXQippuPe4XEWwGAnYt/EBdWlLCeH1KedHKZYpZDz5Lg= X-Received: by 2002:a05:6830:1153:: with SMTP id x19mr25043614otq.74.1556207177924; Thu, 25 Apr 2019 08:46:17 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 25 Apr 2019 17:46:06 +0200 Message-ID: To: Nikita Popov Cc: PHP internals Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] Alternative approach to short tags deprecation From: peterkokot@gmail.com (Peter Kokot) Hello, On Thu, 25 Apr 2019 at 09:15, Nikita Popov wrote: > > Hi internals, > > As already discussed in the corresponding voting thread, the deprecation of > short tags as proposed has a high risk of causing inadvertent source code > leakage. The RFC proposes to change the default of short_open_tag from On > to Off in PHP 7.4. Any website using short_open_tags without explicitly > enabling it (relying on the default) will leak source code unless proper > precautions are taken before switching to PHP 7.4. > > Disregarding the question of whether short tags should be removed at all > (let's keep that question in the other thread), I do think we need to > reconsider the deprecation approach. In particular, I would like to propose: > > In PHP 7.4: > * The default value of short_open_tag remains as is and enabling > short_open_tag does not generate a deprecation warning (otherwise PHP would > warn in a default config). > * If short_open_tag is enabled: The first use of deprecation warning. (Potentially every use could throw a deprecation, but > generally, if noise in the error log.) > * If short_open_tag is disabled: > In PHP 8.0: > * The default value of short_open_tag remains as is and enabling > short_open_tag does not generate a deprecation warning or error. > * If short_open_tag is enabled: Any use of * If short_open_tag is disabled: > At a later point in time: > * The short_open_tag option is removed. > * > The advantage of such an approach would be that no source code leakage > could occur when switching to PHP 7.4 or PHP 8.0. The disadvantage is that > we'll only be able to fully remove short tags support at a later point in > time. > > Thoughts? > > Regards, > Nikita Sure. I think we can do that also for people who haven't upgraded their code yet and can do that at their own pace by ~ 2025/2026. By that time the rest of us will be using "Jitted", "asynced", more consistent, and slick-syntaxed PHP everywhere already so they can catch us up... :) No worries. The approach described sounds ok to me. Would be also good to think even more in advance - like making