Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115152
Return-Path: <danack@basereality.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 92905 invoked from network); 26 Jun 2021 12:05:57 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 26 Jun 2021 12:05:57 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5BE6C1804F3
	for <internals@lists.php.net>; Sat, 26 Jun 2021 05:25:12 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,BIGNUM_EMAILS,
	DKIM_SIGNED,DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
	SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <danack@basereality.com>
Received: from mail-vs1-f45.google.com (mail-vs1-f45.google.com [209.85.217.45])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 26 Jun 2021 05:25:12 -0700 (PDT)
Received: by mail-vs1-f45.google.com with SMTP id c26so7028885vso.8
        for <internals@lists.php.net>; Sat, 26 Jun 2021 05:25:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=basereality-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=M9DpWWqzmJfbgew1mRTjkex7na1D9BEPkO6st60BGJE=;
        b=QDxIOcaCa6QyRWaV4+QJr7BQ+kEenpRov0vHrAqgbmjNPT663iIf+MzDxDZHDV6CuU
         2LyHoiMgx9a9jn1S7umRk4vLVSbD5BgWhvkN4qm9QepTSna14a4SDX3q1/03i7rRkMwl
         olM9KIWMYKsQAU6io+jI5lgP53+c6givXzFXtXW8JtK6oXgWBzS4L/iL4BFmD80WGZC0
         KZDSH5UbzRO1BPjXdUiy0aDTbf9Co1L6G/6ibwaiIPV3Hu7SWkeJPvh6wmyOGHFa8VW4
         TZuI9IU7iATHJREYnJgrxE//2afKb1kB1P83rpkodNcij5ooFmpTqEYd6rFbiznVaq6v
         g0Vw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=M9DpWWqzmJfbgew1mRTjkex7na1D9BEPkO6st60BGJE=;
        b=TzOHoiRP5XdcIC1y2J1f3a9EFVi/6H8LBQzuj0SUhb3omx7UmWVnTIAKF42acfAKQi
         cypbEb1oMJ6w25FeDYqFO4lWmUs9iHK38oKPCUUppGl2w6zG4QUq4YYMn/4AuZzreh97
         ydpcE/2Br7UNfkSijc2U080dBxKhHtQykvFn6h0rZljiCiXGgkjzDwikU/mVaMNyKsBe
         /RrV5k+MYhk+dKPssomEdcgPrU8T67knoQjTqFVk+5wwB6pji3cC9g0vm089y9YKTu1G
         NovouvXE95rV39bQGpNpWeWNtMIEOU5SVFo+ryKl0YornYz62xlypRy2IqVEtjJk7XmO
         JcrQ==
X-Gm-Message-State: AOAM532f179AdM3z7J9LNs285bUJOaZvjU5sg29SaLhFGEsmuJ4jtpht
	byHAEM7F4bLoETIMoDmuSijIUG388EE/IDlYket6SQ==
X-Google-Smtp-Source: ABdhPJzb3zH9KA00YrwfCRcaGb3W2apmnuq+q8UNIUZoQxX35QFfTiN7KsfrvIIeH021nHXuOhu1S8W/6TnI02u2GBs=
X-Received: by 2002:a67:1905:: with SMTP id 5mr12727139vsz.1.1624710308047;
 Sat, 26 Jun 2021 05:25:08 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+Gv1qQ2Gtx2Qwo0Dx2Cb_gOXJ=rm7rVy+Jo89PmD-3jnA@mail.gmail.com>
 <CAEMvS4GRaqMBPn7ocBX-XU3jzrtpe+9uGfYpG10qc_iKZY80UA@mail.gmail.com>
 <03f7955c-69a8-4841-9245-449d7851e207@www.fastmail.com> <CAFv4g+EaT309KDWz63j3S7n8E58czEWTKUEw9hAvgt7s6R9eKQ@mail.gmail.com>
 <CAKws9z02yCZTb2_mw-5xUO5-QLc4jbOUcBRfJ8nFSNPP1rgO3g@mail.gmail.com>
 <CA+hqhpfUiOMLDZyXTqP+mm9jjG6v+K94Ug7K_zvuuZus_XhOaQ@mail.gmail.com>
 <CAKws9z34nTT0_CXoo4Yq7zO2CZX622has23xmfHbWjfaDrgLqA@mail.gmail.com>
 <CA+hqhpdR=W8nbWy8UBgLtKdvb_KCss5mpzturS67HhqRj4q6BQ@mail.gmail.com>
 <CAKws9z1=6fmCxJWYVfN+xKT+u=_ZTq0m7C0nZPT6LB5scbfpXQ@mail.gmail.com>
 <95D16F2E-E9DD-4964-A0E2-62E1FB0D976B@koalephant.com> <CAKws9z1M6aLMJ+T7KEAYbEu7N3ufFi8Lsqpr4GP6G06+8aG3SQ@mail.gmail.com>
 <4DE5E2EC-26D6-4D2C-95A9-B843B440EE87@koalephant.com> <CAGBsUrfar+bY+4R9Wp=WfTr5r7-Ur0pVDmNYGJTt1nh9AQ3-Zw@mail.gmail.com>
 <26037CB4-4723-4DC5-BD92-BBDC4F548E17@koalephant.com> <24E12B58-7613-4E67-852C-3312F4AE769C@newclarity.net>
 <CAOwTYAtnib3uWToDxHD5xwHPDq755_xYV4Xte+4UBZQcXA+kow@mail.gmail.com>
 <CA+kxMuSdY6w4pUGsZgSe8RntjsXEFoa=kBHqFYg9vwmD4zEJ9w@mail.gmail.com> <CAFv4g+GimufiLQ97fuRu=yg6uhwuf2cY1mh_uEveKWcQ8wddeg@mail.gmail.com>
In-Reply-To: <CAFv4g+GimufiLQ97fuRu=yg6uhwuf2cY1mh_uEveKWcQ8wddeg@mail.gmail.com>
Date: Sat, 26 Jun 2021 13:24:55 +0100
Message-ID: <CA+kxMuRD3zZfuydusXaH7z0WQDq0-uUHD2TV8kvkaNmxXUAixQ@mail.gmail.com>
To: Craig Francis <craig@craigfrancis.co.uk>, Joe Watkins <krakjoe@php.net>
Cc: php internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted
From: Danack@basereality.com (Dan Ackroyd)

On Fri, 25 Jun 2021 at 00:57, Craig Francis <craig@craigfrancis.co.uk> wrote:
>  > Dan Ackroyd wrote:
> > Please can you go into some detail about what you think people are
> > meant to do when they detect a non-literal used where a literal is
> > expected?
>
> By using a simple function, it allows the library to handle
> the situation however it likes.

That's not an answer to the question.

Just saying "you can handle it however you like" skips over the core
problem with RFC, which is that by supporting carrying the literal
flag through string concatenations,

It allows silly mistakes to slip through and make it to production. As
 per https://news-web.php.net/php.internals/114858:

> Assume that both UserPreferences and getInfoPanel code is covered by
> unit tests. The developer who made that change would run the tests,
> see the tests pass and then push their code live. At which point, it
> would cause an error in production, as the string returned would not
> pass the is_literal check.

For is_literal checks, what's going to happen is:

* programmer makes a mistake, that isn't caught by a test.
* programmer deploys site, and entries about non-literal strings start
being written to log files.
* someone then needs to remember to check the log files, and pull out
the appropriate entries, and make a ticket for them to be
investigated.
* someone then needs to pick up that ticket, investigate the cause of
the non-literal string being used, and trace it back to which
module/library is causing it, then update the ticket for someone on
that team to fix it.
* someone on that team needs to have that ticket prioritised before
they start work on it.

> I'd really like anyone who is promoting this RFC to answer the
> question from https://news-web.php.net/php.internals/115010 :

> Why are you prioritising speed of adoption, over reducing the cost of
> using this feature for projects over say the next 5 or 10 years?

It's going to take more time to track down an error than it will be to
start using the feature.

I had planned to use this RFC to prevent XSS attacks, and in the
current implementation I'm going to get a notice of "There's some
userdata in an inappropriate place. Have fun finding it!" because the
information about where that user data is in the HTML will be lost.

It's still bizarre to me that the RFC is proposing something that
allows mistakes to slip through to production.

cheers
Dan
Ack

btw, email or ticketing systems are not an appropriate place to log
this type of problem. They could happen on every page load, and so
generate hundreds of errors per second. As amusing as it is to look
back at the times that I have generated 10,000 error emails per second
in the past, I don't want to repeat that experience.

Also, I'm going to cross-post this, as it's unreasonable to expect
people to read all of the different threads.