Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114930 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 63984 invoked from network); 17 Jun 2021 13:36:41 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 17 Jun 2021 13:36:41 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 4CC211804D1 for ; Thu, 17 Jun 2021 06:53:41 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-qk1-f179.google.com (mail-qk1-f179.google.com [209.85.222.179]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 17 Jun 2021 06:53:40 -0700 (PDT) Received: by mail-qk1-f179.google.com with SMTP id bj15so1570217qkb.11 for ; Thu, 17 Jun 2021 06:53:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newclarity-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hy1tVlpilTrbq/5yw1ff2uxFq7ODQbsi2Vm3qwUJ37U=; b=1jeVoXbCbXGx8vxERXJNv2pY+KLGb+T1/f46ndI25RPopK3zYlg/qXY2zrtVbh03je D/zIEXBAe+X1in2WCyjewlbnbJL1zI0m7Q/rqL2YB1UXwk+zrsvi4u5tsDhx4wi7iDKS edwVstpdp9BsJfCLbd4v1XRhBa5SNabi9zB7Nv5jQ86Dqftgfb9s6RiAEqrMzbx4RIym wKMHt5PVclr4inxNp1EZFLVFhELZLkB0Pz/LKODLfoNIvt720pvk/nifYlD71vumwi1U /xNZ9tEIsj+mp4Y0Yio4UbobQHME5kahIgTHaivOQBVya/FiB9OGSuyUkzGj4TeeuuxH DsEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hy1tVlpilTrbq/5yw1ff2uxFq7ODQbsi2Vm3qwUJ37U=; b=DkdXwQ0zKFbkwIAV/7DZoAC8xwg3yXAvA1Y8GNM+xurtITp+6FjOeGBVxICHQELFtE OEITo55GI5mfpWbJItMmp+WrMhpuPiEpsJb3QnsQpFNVez0zZEohHEVjBu73qdAYPqqz TM77kZWc53MsPRUJTPcyHT7ZYh9lQTBC8ETuuYwuNDMfj4WqFRsHvp7tNKtFc6uu8vl1 ImobXgj43zY08CNeBb6O1ZmjlQ3QpAplfgHmHNYtAteyEwCyrvtbaIhUB78VxQJzzwr4 4tnXDc1TtfieWT8VtnHsV+60dT+DYfmLIpZDqCuRzT7PG8+utTCs0k7ZGSFETW+86BY2 FCWQ== X-Gm-Message-State: AOAM53122lRCvgXV82muEDSJgZ84OLfox9I0GNjS20q33xSabucuGwdC e7N77csL+dwPBKLXJXgyh1yMiQ== X-Google-Smtp-Source: ABdhPJyL2QqFVvHF4QGTwkPi0pPYVvb+qJdsI+jNwMS9s5Zav3mkZ3MyQ1HSbf2ayh33ZgZhJnUquA== X-Received: by 2002:a37:ed4:: with SMTP id 203mr4001132qko.361.1623938019836; Thu, 17 Jun 2021 06:53:39 -0700 (PDT) Received: from [192.168.1.10] (c-24-98-254-8.hsd1.ga.comcast.net. [24.98.254.8]) by smtp.gmail.com with ESMTPSA id 4sm1759667qkv.134.2021.06.17.06.53.39 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 Jun 2021 06:53:39 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\)) In-Reply-To: Date: Thu, 17 Jun 2021 09:53:38 -0400 Cc: PHP internals Content-Transfer-Encoding: quoted-printable Message-ID: References: To: Craig Francis X-Mailer: Apple Mail (2.3608.120.23.2.7) Subject: Re: [PHP-DEV] [RFC] is_literal From: mike@newclarity.net (Mike Schinkel) > On Jun 16, 2021, at 1:24 PM, Craig Francis = wrote: >=20 > On Sat, 12 Jun 2021 at 18:00, Craig Francis > wrote: >=20 >> I'd like to start the discussion on the is_literal() RFC: >> https://wiki.php.net/rfc/is_literal >>=20 >=20 > Hi Internals, >=20 > Following up on the is_literal() RFC, thanks for the feedback. It = looks > like there are only 2 minor open issues - updating the implementation = to > allow integers, and what to call the flag/function. >=20 > Matthew Brown wants to support integer values, simply because so much = code > already includes them, and I cannot find a single way that integers = alone > can cause issues from an Injection Vulnerability point of view (but if > anyone can, I absolutely welcome their input). Other variable types = like > floats and booleans will still be excluded (because the value you put = in > often is not what you get out, e.g. true/TRUE being converted to "1"). >=20 > Which leads us to the name, because "is_literal" may be, uh, too = literal. > So can we come up with something better? >=20 > It needs to be a name that suggests: This variable contains programmer > defined strings, integers, and interned values (as noticed by Claude = Pache > and Rowan Tommins). Ideally staying in the standard convention of > =E2=80=98is_singleword=E2=80=99. >=20 > Joe has suggested is_known(), where "we have the concept of known = strings > internally", which I like (though might clash with more userland = functions > than =E2=80=98is_literal=E2=80=99). Last night I also wondered about = `is_constrained()`, as > the value has limited sources. But I'd also welcome more suggestions, = and > am happy to set up a poll (thanks Dharman for the strawpoll.com = suggestion). "is_trusted()" comes to mind, inspired by Javascript's Trusted Types = API[1]. That way in the future it could validate other trusted types besides = just literals and integers when and if an agreement on what should be = trusted becomes clear=20 Another plus with the semantics is in many cases the library developer = who used is_trusted() would not need to update their code to support = these newly trusted types, e.g. literal-string types, "trusted" classes = with a __ToString() method, etc. -Mike [1] https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API