Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115440
Return-Path: <danack@basereality.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 51654 invoked from network); 16 Jul 2021 14:26:52 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 16 Jul 2021 14:26:52 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 1C15D1804C4
	for <internals@lists.php.net>; Fri, 16 Jul 2021 07:51:04 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <danack@basereality.com>
Received: from mail-vs1-f41.google.com (mail-vs1-f41.google.com [209.85.217.41])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 16 Jul 2021 07:51:03 -0700 (PDT)
Received: by mail-vs1-f41.google.com with SMTP id o19so2963169vsn.3
        for <internals@lists.php.net>; Fri, 16 Jul 2021 07:51:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=basereality-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=bvfhwtvmMOn9e0LlKIsuXxKdCLIxTzL6i2Q9aA5U/SM=;
        b=OX0qHfhuPjQu/9Y8EGx5DPe7SlLdoMgcaY0QlQaH4VsYsI9517LWe4Cu6eaxXXFW5/
         CrsVUpJB9JG59KO9HXveqveP0n1c2n7NCUC46/Ww1qfqwSXAU2rXkTH3qS3QgNxKu9S3
         QUnzZPjqRZ8WRKc5iWMOzARE+sE0IFQZaqKc3Tc+gXXDx4UVhpjtZWUi7b4utE6ItvIF
         +6Jot1aW9IHZi6Af3WUjBPCj3QHD3gVRQpg3U3cxaCQPrErtmuKARJkZ3f+bJvoz895Z
         1B5IQa/WUfmgnP6AsOvI5HL9Rk5877epX6Mvmt4YNpkfHpJFFsD1KIJyyP6RW6xWmLwR
         0jBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=bvfhwtvmMOn9e0LlKIsuXxKdCLIxTzL6i2Q9aA5U/SM=;
        b=KxwFQ7NI3pDStx9unTaM0kKV2xc9gE+nas3T1tFhSnBpxyBvTRXhF/bOuSeUjZ3h+/
         z38Kx5lwvWJ/yj+Oka9OL/xZtpZNOG27o0m14w47klOwM58lnQeIGne2QPVPZRZxENQi
         27QQYWsNSZGjH+ruTd2BUaKvWKhwK+nqRDCZlSOLtGPU7Oc6M6ZQYiXiuvMM5IzRbIkk
         YthFUJxTHRN2iJaGFXAne7b8dKchsHGb0ExN8mo3JVRtp00RI+M1KqGmQPRHzk1sFLIS
         SN5RSlujcvMsBeERdIWGwLQ591z8SCgcom1JQRFlDYFD9DkeBkpBjzCpCVXdlJy3bBb6
         UoaA==
X-Gm-Message-State: AOAM531Q/mWxBUELxKNhuJEYm2Fm3mDB1xZN9kCJqwslQNhlF2XZ7cXN
	ZwWy37wJ7Z9TAXhfs1aRvqL6nZVWZIMKVfaHMfxMcg==
X-Google-Smtp-Source: ABdhPJyAv4b0zjHAYUcTlLQdI1G1AkldkUdN+DpZmSCImeqXH78QXN3qhga2oig6UDAfAzPKEik5VbPmGxgCkGcd+0c=
X-Received: by 2002:a67:ee84:: with SMTP id n4mr13270588vsp.24.1626447057505;
 Fri, 16 Jul 2021 07:50:57 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+HRHrvCOTgpbVfCXj06De1kL+1+RwnGgq6tcyLNAtLfQA@mail.gmail.com>
 <CAFPFaMJs7qvko=tfBsXuwCqMV3VqXL4TjO2aKWWPjrAicZzM9w@mail.gmail.com>
 <CAFv4g+G85cfjykjKRbOwWg+KXctZ1u93Onu5cLh1bNrtQ0=DPg@mail.gmail.com>
 <CA+kxMuQkBevK5k-Khhpo3tFfHXeSrM+-GCOWRoZoKJ8Y=_mV4Q@mail.gmail.com>
 <CAFv4g+E=tfzKEXQP64DPNYgMBVo1NbvWBOD2LZVKwsGkw_d=Vg@mail.gmail.com>
 <CA+kxMuQe3hmNiZe6XzROfPCzASDHBTWk3G7ZrwT3=eSuzGTC4A@mail.gmail.com> <CAFv4g+HMTm5PM=mGKcymO1YocoY5BkT3ReOOpViCHPoo_4TOCw@mail.gmail.com>
In-Reply-To: <CAFv4g+HMTm5PM=mGKcymO1YocoY5BkT3ReOOpViCHPoo_4TOCw@mail.gmail.com>
Date: Fri, 16 Jul 2021 15:50:46 +0100
Message-ID: <CA+kxMuQFggCRX1tOyDwe4GxAJaNHxurTqNfdkruG5prnfw7kLw@mail.gmail.com>
To: Craig Francis <craig@craigfrancis.co.uk>
Cc: "G. P. B." <george.banyard@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal
From: Danack@basereality.com (Dan Ackroyd)

On Mon, 12 Jul 2021 at 19:57, Craig Francis <craig@craigfrancis.co.uk> wrot=
e:

> the =E2=80=9Cgo-safe-html=E2=80=9D library authors decided that
> "the ergonomics of trusting concatenated constants far outweighs the secu=
rity concern".

Go is a quite different programming language to PHP.

When they say 'constants', they appear to be able to enforce that by
using a clever feature of that language
https://github.com/google/safehtml/blob/2057dd9c30f9e264f4d01c29d886d51f1b5=
19302/template/template.go#L440-L452
:

```
// stringConstant is an unexported string type. Users of this package canno=
t
// create values of this type except by passing an untyped string constant =
to
// functions which expect a stringConstant. This type must be used only in
// function and method parameters.
type stringConstant string

func stringConstantsToStrings(strs []stringConstant) []string {
    ret :=3D make([]string, 0, len(strs))
    for _, s :=3D range strs {
        ret =3D append(ret, string(s))
    }
    return ret
}

```

i.e. this code works, as the url template is an actual string constant
(not a variable):

```
safehtml.TrustedResourceURLFormatFromConstant(
  `//www.youtube.com/v/%{id}?hl=3D%{lang}`,
  map[string]string{
  "id":   "abc0def1",
  "lang": "en",
})
```

Attempting to use a string variable, fails to even compile:

```
format :=3D `//www.youtube.com/v/%{id}?hl=3D%{lang}`

safehtml.TrustedResourceURLFormatFromConstant(
    format,
    map[string]string{
    "id":   "abc0def1",
      "lang": "en",
})

cannot use format (type string) as type safehtml.stringConstant in
argument to safehtml.TrustedResourceURLFormatFromConstant
```

The current JavaScript equivalent ideas for string literals appear to
be inactive or archived:

* https://github.com/mikewest/tc39-proposal-literals - This repository
has been archived by the owner. It is now read-only.

* https://github.com/tc39/proposal-array-is-template-object - not
particularly active.

But my understanding is that like the Go implementation, they are
proposing to enforce literal-ness of function parameters through
special compilation rules for parameters to function calls, rather
than passing literal strings around to arbitrary places - below* or
https://tc39.es/proposal-array-is-template-object/#sec-gettemplateobject

The other JavaScript approach for dealing with trusted types
(https://auth0.com/blog/securing-spa-with-trusted-types/) is even more
different than this proposal.

It seems pretty inaccurate to claim that either the safehtml library
or the proposal for JavaScript support the choice made for the PHP
RFC. They don't appear to actually allow carrying literal-ness through
variables, only through compile-time constants that are placed inside
the parentheses or a function call. They also work in a different way,
and use features of those languages not available in PHP.

cheers
Dan
Ack


* this is the definition for the proposed JavaScript literal
implementation, I think.

```
Runtime Semantics: GetTemplateObject ( templateLiteral )

The abstract operation GetTemplateObject is called with a Parse Node,
templateLiteral, as an argument. It performs the following steps:

1. Let realm be the current Realm Record.
2. Let templateRegistry be realm.[[TemplateMap]].
3. For each element e of templateRegistry, do
  a. If e.[[Site]] is the same Parse Node as templateLiteral, then
    i. Return e.[[Array]].
4. Let rawStrings be TemplateStrings of templateLiteral with argument true.
5. Let cookedStrings be TemplateStrings of templateLiteral with argument fa=
lse.
6. Let count be the number of elements in the List cookedStrings.
7. Assert: count =E2=89=A4 232 - 1.
8. Let template be ! ArrayCreate(count).
9. Set template.[[TemplateObject]] to true.
10. Let rawObj be ! ArrayCreate(count).
11. Let index be 0.
12. ...
```