Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115443
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 65008 invoked from network); 16 Jul 2021 17:16:00 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 16 Jul 2021 17:16:00 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 0B8401804AA
	for <internals@lists.php.net>; Fri, 16 Jul 2021 10:40:18 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com [209.85.208.180])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 16 Jul 2021 10:40:17 -0700 (PDT)
Received: by mail-lj1-f180.google.com with SMTP id y7so14667066ljm.1
        for <internals@lists.php.net>; Fri, 16 Jul 2021 10:40:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=K6KDURwiUBH+lT7fKRfel5+odTnaOuxeY+e/v43V+x4=;
        b=ATMToWTJcNdSfY9RklkULnKFKMJ3E7O+a9g7MuiLfT45gcVJRvezGvUtPLDjHJzuAc
         hA8pLcXYN6Wvy/wzvx47g797EqtuyBlL8MtHFD7puZb801fJRz+QU+hbMCaf18Tv9C3q
         Cag/t2MFpvtJjQ1xhWvOQ/y+4gQtAgLtiTHR4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=K6KDURwiUBH+lT7fKRfel5+odTnaOuxeY+e/v43V+x4=;
        b=YLGiIjiANO0KF1An/z1QKaod6JKnKxoGhiT4kiSUn1L/JB8lhCPmclqQ19k/rdiWLL
         Lpvx/O/cPFxIWzgZOR39iyl7P6imXk9V6uVV2s4HW4fQ1rkrNr93O0z8TtWE1lJmuG0r
         SEH49XxKm9uKERbJ21ofDd/tdO8q4K4ocOVspFFoflN03h8D3TVwuKjO8x372dSxB85j
         qkXSLTwn7oSc9c+ydthOIdPonq8Dlh1h7wZPJUAQfi+WgRLNb/5IVTraWzpcslpz56tI
         uLF4oOY9jTO8XBQyAgRoUdPzASaOBbmfsKb/2OQo++YVnCMT0MWwjgR/Z/4hcmCT/dwr
         qlng==
X-Gm-Message-State: AOAM530ujTsOh3LPy+H4a/fUX6Aql8PDUfzfHUQegEnF2qL1Np/nYOCo
	NZdK7xaJ69Qt5JYnKhRjOrH/SYNFbhkwG81XfekCHQ==
X-Google-Smtp-Source: ABdhPJwCHhOA87JxJzsg09wjLLPDmWTeskxfxnEvzWd4SqQj/a/zRDevozdFlDGq1xg7cXeuRgMgmwyCJ9KtLRocxH8=
X-Received: by 2002:a05:651c:110:: with SMTP id a16mr9580682ljb.241.1626457215023;
 Fri, 16 Jul 2021 10:40:15 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+HRHrvCOTgpbVfCXj06De1kL+1+RwnGgq6tcyLNAtLfQA@mail.gmail.com>
 <CAFPFaMJs7qvko=tfBsXuwCqMV3VqXL4TjO2aKWWPjrAicZzM9w@mail.gmail.com>
 <CAFv4g+G85cfjykjKRbOwWg+KXctZ1u93Onu5cLh1bNrtQ0=DPg@mail.gmail.com>
 <CA+kxMuQkBevK5k-Khhpo3tFfHXeSrM+-GCOWRoZoKJ8Y=_mV4Q@mail.gmail.com>
 <CAFv4g+E=tfzKEXQP64DPNYgMBVo1NbvWBOD2LZVKwsGkw_d=Vg@mail.gmail.com>
 <CA+kxMuQe3hmNiZe6XzROfPCzASDHBTWk3G7ZrwT3=eSuzGTC4A@mail.gmail.com>
 <CAFv4g+HMTm5PM=mGKcymO1YocoY5BkT3ReOOpViCHPoo_4TOCw@mail.gmail.com> <CA+kxMuQFggCRX1tOyDwe4GxAJaNHxurTqNfdkruG5prnfw7kLw@mail.gmail.com>
In-Reply-To: <CA+kxMuQFggCRX1tOyDwe4GxAJaNHxurTqNfdkruG5prnfw7kLw@mail.gmail.com>
Date: Fri, 16 Jul 2021 18:40:03 +0100
Message-ID: <CAFv4g+H-t=oD3ugZktaxMa_-V72NwtGonLQ4a3BU1WDf3fDKTg@mail.gmail.com>
To: Dan Ackroyd <Danack@basereality.com>
Cc: "G. P. B." <george.banyard@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000008b4f6c05c74114da"
Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal
From: craig@craigfrancis.co.uk (Craig Francis)

--0000000000008b4f6c05c74114da
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Fri, 16 Jul 2021 at 15:50, Dan Ackroyd <Danack@basereality.com> wrote:

> On Mon, 12 Jul 2021 at 19:57, Craig Francis <craig@craigfrancis.co.uk>
> wrote:
>
> > the =E2=80=9Cgo-safe-html=E2=80=9D library authors decided that
> > "the ergonomics of trusting concatenated constants far outweighs the
> security concern".
>
> Go is a quite different programming language to PHP.
>


Go is different, it's limited to running the check at compile time. That's
why I was referencing the =E2=80=9Cgo-safe-html=E2=80=9D library.

PHP is more dynamic, so we don't need to have the same restrictions (we can
allow the developer to concatenate the string, which allows us to support
existing code, rather than relying on the library).



The current JavaScript equivalent ideas for string literals appear to be
> inactive or archived.



As noted in the RFC, it's this one:
https://github.com/tc39/proposal-array-is-template-object

Krzysztof has just confirmed that he=E2=80=99s working on it, and is curren=
tly
getting it through tc39 (specifically updates related to Realms, a way of
executing JavaScript within the context of a new global object, something
PHP does not need to worry about).


The other JavaScript approach for dealing with trusted types
> (https://auth0.com/blog/securing-spa-with-trusted-types/) is even more
> different than this proposal.



While the article shows some React/Angular code, the focus is on Trusted
Types, which works with this concept. It protects unsafe APIs (like
innerHTML), where you can create a policy with methods to check/filter
values (e.g. forcing the use of DOMPurify). The isTemplateObject method
(which checks that a template string was created by the developer) will
work with Trusted Types, so you don't need to rely on filtering
(unreliable/limited).

Craig

--0000000000008b4f6c05c74114da--