Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:117801
Return-Path: <rowan.collins@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 38603 invoked from network); 27 May 2022 07:28:28 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 27 May 2022 07:28:28 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5F088180382
	for <internals@lists.php.net>; Fri, 27 May 2022 02:11:25 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <rowan.collins@gmail.com>
Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 27 May 2022 02:11:25 -0700 (PDT)
Received: by mail-wr1-f45.google.com with SMTP id p10so5035839wrg.12
        for <internals@lists.php.net>; Fri, 27 May 2022 02:11:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=message-id:date:mime-version:user-agent:subject:content-language:to
         :references:from:in-reply-to:content-transfer-encoding;
        bh=U1Ds/ZS1AxIXTIzp3NwjV9MdX855Unp3REp31sNJawY=;
        b=n4V1942/hWomYd2CvAXN6OuGQlWB/NCVQE7gRgrjsGMSD892YawmQtf07ynMA8o+AB
         jcGl1dZE3y08Q7QIMetBpzbTat34iM9bD2BMa9JLfD7yM2jn2o4sbP09Rt6Bvze6gind
         wZ0rfJS064JjnArb4WG2jmbsOGaqUdI0jnrPVxcg8I1lGR1Uye8ClSBSQuPW6OmfOYNc
         5orToSjTyEXuqq17Zz4LH8D+PPOR1Zx4upChF8j/omfzHJgk8hjaNUaPbCCU48L9yElc
         wP5id9P3qP16hkwAgdpZzPdLnEC48Zx3CqtWV3/4f10OtY3XzMAt4hyPJz0sjdhvsdZz
         3s2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
         :content-language:to:references:from:in-reply-to
         :content-transfer-encoding;
        bh=U1Ds/ZS1AxIXTIzp3NwjV9MdX855Unp3REp31sNJawY=;
        b=2HBPlonfY3O1vMowKcLGQCe2ykQQfai372UgNkQ3tXIkYphoWnzUOhDNliRUVycbNE
         3VyNYZ73l7i7uggrSThSns3OxwxyngouGJoISLfb1aG5cnMVF59nf71cPBBVfvXNUoJR
         W8viuf9y20IKaxrrohrqy42KJ8no3W41T/ry+pcl1j9TYiXXpAMuvNxMbFpS1kKw3MU5
         U0uHGdn2LmBkiyRo7chmKMb15UFizEVJVKmYNZifLNs+dr1pdN5pfOkPnxBzyNN65bfR
         XqU6KfAn3BARwZJs7zER3RTuEOulN3OVy87faT4bRuJmfPJd1IB4SLCU4mZHzvPhmw12
         pXPA==
X-Gm-Message-State: AOAM531cbE2ANjlbY8cRNZYenz17Y1vvEhBJnAxf0+J52gXtneFb9AZk
	zdbwtKiw/BOri4tPqT6RgCv0OZOkZk8=
X-Google-Smtp-Source: ABdhPJx6mYeupV3a/Z+85aInVyEsgywH0Q5d/aYBRmbjghUIi9TOLKr7uM+aZzejoqdMxXwq3JSNsg==
X-Received: by 2002:a05:6000:2a2:b0:20f:d8ca:744d with SMTP id l2-20020a05600002a200b0020fd8ca744dmr20860554wry.354.1653642683872;
        Fri, 27 May 2022 02:11:23 -0700 (PDT)
Received: from [192.168.0.22] (cpc104104-brig22-2-0-cust548.3-3.cable.virginm.net. [82.10.58.37])
        by smtp.googlemail.com with ESMTPSA id n20-20020a05600c501400b0039736892653sm1572804wmr.27.2022.05.27.02.11.22
        for <internals@lists.php.net>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 27 May 2022 02:11:22 -0700 (PDT)
Message-ID: <24d35dc8-bd1d-3d90-99ac-ebdcc3b2a9e4@gmail.com>
Date: Fri, 27 May 2022 10:11:18 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.9.1
Content-Language: en-GB
To: internals@lists.php.net
References: <CAFv4g+Ej4JbM9SzQ0iU-d8C4T+2XNo=8jnJ1uwfQ=skZZXx9Tg@mail.gmail.com>
 <1755E8B5-229B-47B2-BBAF-B5E014F5473D@craigfrancis.co.uk>
 <1180af01-080f-ee0a-3159-74bf7e0a8aea@gmail.com>
 <73F563E2-7C31-4B5E-A6B9-AE1BD05ADD1C@craigfrancis.co.uk>
In-Reply-To: <73F563E2-7C31-4B5E-A6B9-AE1BD05ADD1C@craigfrancis.co.uk>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] NULL Coercion Consistency
From: rowan.collins@gmail.com (Rowan Tommins)

On 26/05/2022 13:20, Craig Francis wrote:
> First, the Docblock originally said this function did not accept NULL, but at runtime it accepted/coerced NULL to an empty string. This is exactly how `htmlspecialchars()` worked pre 8.1. Where developers using static analysis tools can choose to treat NULL as an invalid value, and those tools could report nullable variables as an error (via strict type checking).


The same events can be given a very different narrative:

Originally, this function was not intended to accept null. The 
documentation clearly stated the accepted types, and any static analysis 
tool would reject any value not in that list. The author of the function 
chose to treat NULL as an invalid value.

Because the list of valid types wasn't enforced at run-time, it was 
accidentally possible to pass null. Many developers who weren't using 
additional tooling came to rely on this bug, so as a compromise, the 
authors decided to change the documented behaviour of nulls.

At no point did anybody look at the function and say "I can safely pass 
null to this, as long as I remember never to use static analysis tools". 
They accidentally passed null, and by luck got a useful result.


>> I also note that the commit message says "On PHP >= 8.1, an error is thrown if `null` is passed to `htmlspecialchars`." which is of course not true for native PHP, only if you make the highly dubious decision to promote deprecations to errors.
> While I'd put the word "error" down as a typo, the intention is for 9.0 to throw a type error.


My point is that there is no action required on PHP 8.1. The commit 
message should have said, "On PHP >= 9.0, an error will be thrown if 
`null` is passed to `htmlspecialchars`."



> And while user-defined functions are part of the conversation (for consistency reasons), I'm trying to find the benefits of breaking NULL coercion for internal functions (because, if there is an overall benefit, that Laravel Blade patch should be reverted).


This is a complete non sequitur. It's perfectly possible for different 
scenarios to support different decisions, and what Laravel decides that 
particular function should accept is based on their own assessment of 
the trade-offs. PHP is free to make an entirely different decision based 
on entirely different trade-offs.

Meanwhile, the benefits have been explained repeatedly in this thread. 
You may not agree that they are worth the cost, and as I've repeatedly 
said, I have some sympathy for that. But please stop trying to take the 
conversation back to the very beginning by implying that you've asked a 
question and not received an answer.


Regards,

-- 
Rowan Tommins
[IMSoP]