Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:116042
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 8599 invoked from network); 14 Sep 2021 14:11:29 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Sep 2021 14:11:29 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 37D491804AD
	for <internals@lists.php.net>; Tue, 14 Sep 2021 07:50:43 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-lf1-f41.google.com (mail-lf1-f41.google.com [209.85.167.41])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 14 Sep 2021 07:50:42 -0700 (PDT)
Received: by mail-lf1-f41.google.com with SMTP id k13so29387120lfv.2
        for <internals@lists.php.net>; Tue, 14 Sep 2021 07:50:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=ynXCbk0Pc21cIksvOiYL+hcwuPi90J49QCk/ZR2Zrqg=;
        b=QtQv2jZQw0XQpmNHjLOGyaveDe+Y4fsMMJwSWxm2tqtz/e8rL+h1BM4CLKmKxSfZ/g
         0Krzy6ZXfIFKJqStzyLivxh4+GQXDjQM/0BYeAcnOVLWZhh3ofhBzdToRgBGalAbj5Py
         nGTarFDPHIPDKGzrkCQZh93N8r1teY0YE0oEQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=ynXCbk0Pc21cIksvOiYL+hcwuPi90J49QCk/ZR2Zrqg=;
        b=wZicxlTalJHrnYELQxTQR26rnBmMtvalVkBx0zq4pdBXyIJXwMAIvFubjNYRv7td33
         7vj9r798Ym43P7JRx1ekELvfCtybGoS0JkQtf4Y8CVDIc7CLY1CBd68SSX2egCNOKPV7
         5jrQChYecROMiQRPf3/xjVQZw2cx65rm9Ktb/hhpsbIZWzmd5iMqbiWePiVGYNmHFwtE
         IwkxKeMO27YKDKxIESfYtSAISNp4iIN4Uc896m399jGm1mTyn7Map8GbcbyV2/ZPDfT3
         cNsoFTF7e6L62HcWSsAiVMu6B4DY9gIkYDPVnaumXBrDjHz6wNMEEttm0UOcpZD0c7qd
         sWfQ==
X-Gm-Message-State: AOAM533VpGdxnpCSqPkDEqR1CWPUBLe+iAlbuR5exevjqifeptxy1uiC
	3WpjNXWpr9bOtbesQIb8lSmvKSzdJ7tZMWdSe5TOy5kDvZ6qJg==
X-Google-Smtp-Source: ABdhPJxFgCYLeOoiLZz+ug3nC62+D5NM5og/aN0ltUoF3dSEEFxKyPewNBnXc19omKDAN7QM9MqKX3j7NLG8dXKwpIs=
X-Received: by 2002:a05:6512:3da5:: with SMTP id k37mr13679788lfv.655.1631631040877;
 Tue, 14 Sep 2021 07:50:40 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+HRHrvCOTgpbVfCXj06De1kL+1+RwnGgq6tcyLNAtLfQA@mail.gmail.com>
 <CAFv4g+Fs-iSHoykGhkzzJFZSd=UDB9ZGEq-aeo0VyPjqrppQKw@mail.gmail.com>
 <CAFv4g+EwnJakuMyG5S2pUDLQSno+sRxybhGf=b5x8SappExd=w@mail.gmail.com> <BC03D9F6-E782-4AF8-A0FE-92287DC5F430@gmail.com>
In-Reply-To: <BC03D9F6-E782-4AF8-A0FE-92287DC5F430@gmail.com>
Date: Tue, 14 Sep 2021 15:50:27 +0100
Message-ID: <CAFv4g+FYcYyVdXQBOY6LwzrCehLbNJMGvOOHWVUXxSr7uqJzEg@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000098ad9905cbf5b422"
Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal
From: craig@craigfrancis.co.uk (Craig Francis)

--00000000000098ad9905cbf5b422
Content-Type: text/plain; charset="UTF-8"

On Wed, 8 Sept 2021 at 07:33, Claude Pache <claude.pache@gmail.com> wrote:

> We all want to protect from injection vulnerability, but I think there are
> better way than is_literal.
>
> One way is to use templates, an area where PHP is ironically lagging
> behind. I suggest looking at JS tagged templates:
>

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals#tagged_templates


Hi Claude,

Posting on-list, as I've not had a reply (was confirming I've not missed
anything).

I have looked at JavaScript Tagged Templates before, and while they could
be made to work (ish), I don't believe they are better than the
`is_literal()` proposal to protect against Injection Vulnerabilities:

1) It would require developers and libraries to re-write all of their
existing code to use Tagged Templates.

2) If we copied JavaScript, the methods/functions can still be called
incorrectly:

function template(html, ...values) {
>   console.log(html, values);
> }
> template`<p>Hi ${name}<p>`;
> template([`<p>Hi ${name}<p>`]); // Wrong
> template(['<p>Hi ', name, '<p>']); // Wrong


PHP could provide a way for Libraries to check the developer has used a
Tagged Template, but that's basically what the `is_literal()` proposal
does. With JavaScript, this is why `isTemplateObject()` is being developed,
and Trusted Types might get `fromLiteral()`.

3) Libraries would not be able to use Tagged Templates and easily support
older versions of PHP.

4) The backtick character is already used for `shell_exec()` like
functionality.

Craig

--00000000000098ad9905cbf5b422--