Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115155
Return-Path: <krakjoe@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 97779 invoked from network); 26 Jun 2021 12:26:37 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 26 Jun 2021 12:26:37 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id C6CF61804CC
	for <internals@lists.php.net>; Sat, 26 Jun 2021 05:45:52 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,BIGNUM_EMAILS,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <krakjoe@gmail.com>
Received: from mail-ot1-f44.google.com (mail-ot1-f44.google.com [209.85.210.44])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 26 Jun 2021 05:45:52 -0700 (PDT)
Received: by mail-ot1-f44.google.com with SMTP id 7-20020a9d0d070000b0290439abcef697so12462118oti.2
        for <internals@lists.php.net>; Sat, 26 Jun 2021 05:45:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=QebZvHBgTEQ2aL3UEWwJtCmKmQSMKc3Rekbb1BIczng=;
        b=BmiLsx9IEmdqmsSdyvmIi2J0bDQEtgFP10c+Bx3jGnwY2PzWZjD9r6l0lZNB5rQOtA
         6vs54jh3a8ymaiBQhcwMykaWoi55/ZySnMoVkkaTya9M/PzzHu72RHRfBhiM8itTVOL4
         ppZ2udqhsKH/EiC/rdk6kMeQ8+5lGGwEhVsAj3CO1aUu9yiF6qiVdP0EkcaFCEsfE5jt
         K0kugMA74JdnPD/Ayfj5f/IcFmBXY0AM9qw+VW8W/um3mtn8Z9BsPDq/TimWjXP4Vwiw
         LHelS3152u3y0xOUNo4pNc8di2NMYgsrexP5tZlOKGgbL9Y6cSjAyJb/jpkoxpjYll90
         vDYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=QebZvHBgTEQ2aL3UEWwJtCmKmQSMKc3Rekbb1BIczng=;
        b=SwGGmLmxfQK3KBwXmeYr0OQKZ3r/PQOyWXCzMM+qiQzB55NOUPE9vCLIpH6BImkkJ/
         eLZhIJh7ZVNjkJ74mUwJH+tAfHDLDNX7x4pA662bUL593pWao41p24WSuJcaCtH5GmoA
         +vKDbKtGs1d7CW8oOVsbRS3wCv4yeC/kiqppeUwR7bF2CIV4qIAF18LXitwTGqD1eeIt
         /DW6LsKlhgOScrS6bavopdnccef/0hX4+JC/vn42z1RZi3u4qsbf+7SUSNbIapnYaNxs
         APTFjZqIE/loul+5wJnzy4LW8L1EoUK/CcIz5iGFAwlttPDfpaUWXZMssdLcL1VHLUTW
         Cvvw==
X-Gm-Message-State: AOAM5304NOKGx7yfRBXd5ZAWzIFlmuG6VKFh8nNFKqOcKAYnqwvFqRbC
	WcOGcmZzFfCf59wBMvDBnof1YWCjJ91GIGqmWUM=
X-Google-Smtp-Source: ABdhPJwVUY4OJLbD4uF60c5jV/S7Gti1hExxovgdAEUDY2eJdNVcAZbTW/gkRASh0znjLfJIdx5P6nI8Wy2+DC9DeYo=
X-Received: by 2002:a9d:2621:: with SMTP id a30mr11890909otb.221.1624711550845;
 Sat, 26 Jun 2021 05:45:50 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+Gv1qQ2Gtx2Qwo0Dx2Cb_gOXJ=rm7rVy+Jo89PmD-3jnA@mail.gmail.com>
 <CAEMvS4GRaqMBPn7ocBX-XU3jzrtpe+9uGfYpG10qc_iKZY80UA@mail.gmail.com>
 <03f7955c-69a8-4841-9245-449d7851e207@www.fastmail.com> <CAFv4g+EaT309KDWz63j3S7n8E58czEWTKUEw9hAvgt7s6R9eKQ@mail.gmail.com>
 <CAKws9z02yCZTb2_mw-5xUO5-QLc4jbOUcBRfJ8nFSNPP1rgO3g@mail.gmail.com>
 <CA+hqhpfUiOMLDZyXTqP+mm9jjG6v+K94Ug7K_zvuuZus_XhOaQ@mail.gmail.com>
 <CAKws9z34nTT0_CXoo4Yq7zO2CZX622has23xmfHbWjfaDrgLqA@mail.gmail.com>
 <CA+hqhpdR=W8nbWy8UBgLtKdvb_KCss5mpzturS67HhqRj4q6BQ@mail.gmail.com>
 <CAKws9z1=6fmCxJWYVfN+xKT+u=_ZTq0m7C0nZPT6LB5scbfpXQ@mail.gmail.com>
 <95D16F2E-E9DD-4964-A0E2-62E1FB0D976B@koalephant.com> <CAKws9z1M6aLMJ+T7KEAYbEu7N3ufFi8Lsqpr4GP6G06+8aG3SQ@mail.gmail.com>
 <4DE5E2EC-26D6-4D2C-95A9-B843B440EE87@koalephant.com> <CAGBsUrfar+bY+4R9Wp=WfTr5r7-Ur0pVDmNYGJTt1nh9AQ3-Zw@mail.gmail.com>
 <26037CB4-4723-4DC5-BD92-BBDC4F548E17@koalephant.com> <24E12B58-7613-4E67-852C-3312F4AE769C@newclarity.net>
 <CAOwTYAtnib3uWToDxHD5xwHPDq755_xYV4Xte+4UBZQcXA+kow@mail.gmail.com>
 <CA+kxMuSdY6w4pUGsZgSe8RntjsXEFoa=kBHqFYg9vwmD4zEJ9w@mail.gmail.com>
 <CAFv4g+GimufiLQ97fuRu=yg6uhwuf2cY1mh_uEveKWcQ8wddeg@mail.gmail.com> <CA+kxMuRD3zZfuydusXaH7z0WQDq0-uUHD2TV8kvkaNmxXUAixQ@mail.gmail.com>
In-Reply-To: <CA+kxMuRD3zZfuydusXaH7z0WQDq0-uUHD2TV8kvkaNmxXUAixQ@mail.gmail.com>
Date: Sat, 26 Jun 2021 14:45:39 +0200
Message-ID: <CAOwTYAvjNmk0rBHuQz3PcOfTDFAtok4LJja33RotapYBLJc9_Q@mail.gmail.com>
To: Dan Ackroyd <Danack@basereality.com>
Cc: Craig Francis <craig@craigfrancis.co.uk>, php internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000d9c92d05c5aaa21b"
Subject: Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted
From: krakjoe@gmail.com (Joe Watkins)

--000000000000d9c92d05c5aaa21b
Content-Type: text/plain; charset="UTF-8"

Please, stop spamming us with the same comments.

Cheers
Joe

On Sat, 26 Jun 2021 at 14:25, Dan Ackroyd <Danack@basereality.com> wrote:

> On Fri, 25 Jun 2021 at 00:57, Craig Francis <craig@craigfrancis.co.uk>
> wrote:
> >  > Dan Ackroyd wrote:
> > > Please can you go into some detail about what you think people are
> > > meant to do when they detect a non-literal used where a literal is
> > > expected?
> >
> > By using a simple function, it allows the library to handle
> > the situation however it likes.
>
> That's not an answer to the question.
>
> Just saying "you can handle it however you like" skips over the core
> problem with RFC, which is that by supporting carrying the literal
> flag through string concatenations,
>
> It allows silly mistakes to slip through and make it to production. As
>  per https://news-web.php.net/php.internals/114858:
>
> > Assume that both UserPreferences and getInfoPanel code is covered by
> > unit tests. The developer who made that change would run the tests,
> > see the tests pass and then push their code live. At which point, it
> > would cause an error in production, as the string returned would not
> > pass the is_literal check.
>
> For is_literal checks, what's going to happen is:
>
> * programmer makes a mistake, that isn't caught by a test.
> * programmer deploys site, and entries about non-literal strings start
> being written to log files.
> * someone then needs to remember to check the log files, and pull out
> the appropriate entries, and make a ticket for them to be
> investigated.
> * someone then needs to pick up that ticket, investigate the cause of
> the non-literal string being used, and trace it back to which
> module/library is causing it, then update the ticket for someone on
> that team to fix it.
> * someone on that team needs to have that ticket prioritised before
> they start work on it.
>
> > I'd really like anyone who is promoting this RFC to answer the
> > question from https://news-web.php.net/php.internals/115010 :
>
> > Why are you prioritising speed of adoption, over reducing the cost of
> > using this feature for projects over say the next 5 or 10 years?
>
> It's going to take more time to track down an error than it will be to
> start using the feature.
>
> I had planned to use this RFC to prevent XSS attacks, and in the
> current implementation I'm going to get a notice of "There's some
> userdata in an inappropriate place. Have fun finding it!" because the
> information about where that user data is in the HTML will be lost.
>
> It's still bizarre to me that the RFC is proposing something that
> allows mistakes to slip through to production.
>
> cheers
> Dan
> Ack
>
> btw, email or ticketing systems are not an appropriate place to log
> this type of problem. They could happen on every page load, and so
> generate hundreds of errors per second. As amusing as it is to look
> back at the times that I have generated 10,000 error emails per second
> in the past, I don't want to repeat that experience.
>
> Also, I'm going to cross-post this, as it's unreasonable to expect
> people to read all of the different threads.
>

--000000000000d9c92d05c5aaa21b--