Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:117793 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 63818 invoked from network); 26 May 2022 14:58:42 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 26 May 2022 14:58:42 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id C4FFB1804C9 for ; Thu, 26 May 2022 09:41:28 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 26 May 2022 09:41:28 -0700 (PDT) Received: by mail-wr1-f50.google.com with SMTP id e2so2852043wrc.1 for ; Thu, 26 May 2022 09:41:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=fXr0pueiXB6hlY5w21pbGq090sEFS6H6Cc/y4O3wjMs=; b=Qm3TR6wC5NSdy+PIuGxCJaYEOkqVgW4iwQdsu609QBu2QTaYCXyyo1vT8RxgY9971D d+hML+PHNhf6LypytA/khjYZtwKhz+qWS1W45RF7q3W+G3kjiFtsqilWDugcFdARuKTr cu1eWQiAZ1mx7OPJYJ+/QV8K+IRYUUJ2lFBsQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=fXr0pueiXB6hlY5w21pbGq090sEFS6H6Cc/y4O3wjMs=; b=61p5Mt3Ana4n78PYwUPuZxqb4v8piFR8YlDg14PC3qX0j6/rbOpl1Vy0f7M8qUkA00 +rgB2llzcRcJmMYUcV3qyS5UIvXTW2fTVmmqFj052c4t1Cd1Y4KHuyxAac/ljlod5l7X daxkA8guX04eBsWQxB5SxUFq9cs/LaAAJdpxB+g4v+55tW5faNp8hCEiKDZcSFofhwfQ fh8wufGU4/MMhe+bSpVUjcnAI81EWC1rcyR6qwEkYdGyLA78THrMkRRPAurpufEJ9Plv qaKmr2fTBpZtZsteRrFz6wmrDeCzlN90SJOTIuQWvjrLoQ7QTc8JB8Cjoe/ZOSWRqkJD R3GA== X-Gm-Message-State: AOAM5314NyBBQHRfHls+V5+SeYzfopFt/Ys9FnglgZQ5c3UuiGwSmJ9n 7d7qoAEDK92XSTuYpVSLz5mFBw== X-Google-Smtp-Source: ABdhPJzINRkbvgjbtM80xUtVNB+ezsIW8EjMJftK7B9mXe5x5OV/qCsmftBNCi1tnq5ME7nRyfOvyw== X-Received: by 2002:a5d:4409:0:b0:210:ddd:1808 with SMTP id z9-20020a5d4409000000b002100ddd1808mr2678106wrq.53.1653583286840; Thu, 26 May 2022 09:41:26 -0700 (PDT) Received: from smtpclient.apple ([94.173.138.98]) by smtp.gmail.com with ESMTPSA id l19-20020a05600c4f1300b0039746638d6esm2586961wmq.33.2022.05.26.09.41.25 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 May 2022 09:41:26 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\)) In-Reply-To: Date: Thu, 26 May 2022 17:41:24 +0100 Cc: Internals Content-Transfer-Encoding: quoted-printable Message-ID: <2DC21BE3-558E-4530-B5D8-C5EE6F6CFEF3@craigfrancis.co.uk> References: <1755E8B5-229B-47B2-BBAF-B5E014F5473D@craigfrancis.co.uk> <1180af01-080f-ee0a-3159-74bf7e0a8aea@gmail.com> <73F563E2-7C31-4B5E-A6B9-AE1BD05ADD1C@craigfrancis.co.uk> To: Michael Babker X-Mailer: Apple Mail (2.3696.80.82.1.1) Subject: Re: [PHP-DEV] NULL Coercion Consistency From: craig@craigfrancis.co.uk (Craig Francis) On 26 May 2022, at 15:01, Michael Babker = wrote: > On Thu, May 26, 2022 at 7:21 AM Craig Francis = wrote: >> That said, I would still like to know about the benefits of rejecting = NULL for `htmlspecialchars()`, in the context of that Laravel Blade = patch; because, if it is beneficial (vs the BC break), they should = revert that patch... shouldn't they? >=20 > No, they should not. Laravel made an explicit choice to handle null = values in its escaping function for its templating framework. That is = their choice to make. They should not be forced to implicitly handle = null values because the language decides to add implicit type coercion = to user defined functions (because consistency seems to be so important = to some), and they should not be forced to reject null values because = underlying language functions reject them as well. Erm, I'm simply asking - If there is a good reason for throwing an = exception when NULL is passed to `htmlspecialchars()`, then that reason = would also apply to Laravel Blade for it's HTML encoding. If you know what that reasons is, you should be able to make that case = to them, and get that patch reverted. I believe the only time it's helpful is when working in a strict type = environment, which is best checked with static analysis, as those extra = type checks can highlight unexpected values. But most (I'm assuming = ~85%) developers simply do not use strict type checking, and don't seem = to consider the sources of NULL (see the "Common sources of NULL" I've = listed in the RFC), and for those developers, spending days editing = their code to manually convert those NULL values, that does not seem = justified. To respond to your comment, Laravel doesn't provide a native type = declaration (it's in a DocBlock), so they don't have any type coercion = for their `e()` function: = https://github.com/laravel/framework/blob/c113768dbd47de7466d703108eaf8155= 916d5666/src/Illuminate/Support/helpers.php#L109 > Every implicit type coercion is a bug in hiding IMO. That's fine, but strict static analysis is so much better at finding = these issues (i.e. can this variable be NULL, vs a runtime check to see = if the value is NULL this time)... and if you want runtime checks as = well, that's where `strict_types=3D1` comes in. > If a function, by explicit design, can safely work with null values = then that parameter should be properly declared nullable. `htmlspecialchars()` can and always has safely worked with NULL, the = same with the other 335 parameters I've listed. But when I suggested = changing these parameters to be nullable, it was not well received. > Yes, that means that there is a lot of work involved for folks between = now and the release of PHP 9.0 to either refactor code to avoid type = errors or to get the language to expand the supported types in = appropriate functions, but IMO that effort from all parties is worth it = in the long run to ensure language consistency (I really don=E2=80=99t = think userland PHP and internal/extension PHP should have vastly = different behaviors, and type coercion support based on where a function = is designed is one of those holes that needs filled) and to ensure all = APIs explicitly declare what types of data they support. I don't think userland and internal functions should have different = behaviours either (my RFC does say "keep user-defined and internal = functions consistent"). To achieve that, for those not using `strict_types=3D1`, I'm simply = suggesting that NULL coercion continues to work for internal functions, = and we update user-defined functions to allow NULL coercion. This would = also help developers add native types to their functions. Then we have a = setup which is basically the same as how the string "6" can be coerced = to the integer 6, and how string concatenation with NULL works, how `'' = =3D=3D $nullable` works`, how `sprintf('Hi %s', $nullable)` works, how = `echo $nullable` works, etc. Craig