Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122048 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 59293 invoked from network); 26 Dec 2023 21:45:36 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 26 Dec 2023 21:45:36 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 68D22180051 for ; Tue, 26 Dec 2023 13:45:59 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 26 Dec 2023 13:45:58 -0800 (PST) Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-336f2c88361so220665f8f.3 for ; Tue, 26 Dec 2023 13:45:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1703627131; x=1704231931; darn=lists.php.net; h=content-transfer-encoding:subject:from:to:content-language :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=gXwLucjJEUFbGBD5ct5y7fAg/7HABNAqsQfTFW5S0rc=; b=cfgHrIXb0wted6LlaGiFxOYPfFnD8BBOfP2nDC2ZknDu7+xVkulrjd33VRGsKmi7ai vZmMr79zxzYRYB8kctzdd1Fskj0POzW7txqzJEUaHryXuvy8H+qo58FAfRT6BWUpw8UW BIgCYgBeCYnV7mGfGDx1KbLfp1m6KyxGzfbcXEATNBRiheAGHQ7/1IKkSmrj3M4lqCH6 XSHiEVl/uXK9GnsqZVTsd0V+MMQhgFPNRTrpb4S7iwX+yIXD1NrtIEbFS/gyyDUZjHqp VHNhe9F5zhpr2sw+X4we13/Y/FwUd/rJpOA9aCDCe3xl63ncRG982Iw02kU0tF7M8r8p VCuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703627131; x=1704231931; h=content-transfer-encoding:subject:from:to:content-language :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=gXwLucjJEUFbGBD5ct5y7fAg/7HABNAqsQfTFW5S0rc=; b=EJv3yfTvTaEIVzOOtu9Vhg575tY9zmU43FznwtLLWx2LKaQYjVrIeOP6sGBcZwRJZZ KL9pm81SO1CSQEIT8trYlMWfi7OOMMFnPVXMN55BGcTm9LHZWtxrHhJu0ZvdM+ipdlR7 fXoEUEszYQvPO4t0moh5VeYpaIy3wkK3wRunvcitmcWEWRt0U2eok4r6rd0YT01sNKRI 7XnaYNolJ30b2cQvenB96HdRAmgumdNcGF6gcgA6DmBFVpqNSF1D51MVHXw1f0/rH8bA 8OXsqMnPdtILjpbKhnsPxHRQd9Bact20hJpVkxnS2nJ+aGt4GUks15NNjvs64P1eApEq 2IRQ== X-Gm-Message-State: AOJu0Yz+5gQB7xC/v8pdC2K/WyucIVJ1O9o2dV01KoVxXGdJIr0uMUBt Az0I+lxGuwgN4i3ZOAbGmDBeixdZ/p0= X-Google-Smtp-Source: AGHT+IFemiUG371Yt1vtwPKyu9rWSh9TujxRt2wVlGUp6Vl1IC/7LmauuHUsrANRC9LAFbcDelPcsw== X-Received: by 2002:a05:600c:4f14:b0:40d:4d68:28c8 with SMTP id l20-20020a05600c4f1400b0040d4d6828c8mr3255944wmq.140.1703627131325; Tue, 26 Dec 2023 13:45:31 -0800 (PST) Received: from ?IPV6:2a02:1811:cc83:ee30:8e76:2662:766d:ebaa? (ptr-dtfv04vjm7u23t23d7u.18120a2.ip6.access.telenet.be. [2a02:1811:cc83:ee30:8e76:2662:766d:ebaa]) by smtp.gmail.com with ESMTPSA id u12-20020a5d434c000000b00336ee9edbb3sm925288wrr.94.2023.12.26.13.45.30 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 26 Dec 2023 13:45:31 -0800 (PST) Message-ID: <756bcf2b-f98d-4203-9004-1cbfd402337a@gmail.com> Date: Tue, 26 Dec 2023 22:45:30 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: PHP internals Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Pre-RFC: Fixing spec bugs in the DOM extension From: dossche.niels@gmail.com (Niels Dossche) Hi internals The DOM extension in PHP is used to parse, query and manipulate XML/HTML documents. The DOM extension is based on the DOM specification. Originally this was the DOM Core Level 3 specification, but nowadays, that specification has evolved into the current "Living Specification" maintained by WHATWG. Unfortunately, there are many bugs in PHP's DOM extension. Most of those bugs are related to namespace and attribute handling. This leads to people trying to work around those bugs by relying on more bugs, or on undocumented side-effects of incorrect behaviour, leading to even more issues in the end. Furthermore, some of these bugs may have security implications [1]. Some of these bugs are caused because the method or property was implemented incorrectly back in the day, or because the original specification used to be unclear. A smaller part of this is because the specification has made breaking changes when HTML 5 first came along and the specification creators had to unify what browsers implemented into a single specification that everyone agreed on. It's not possible to "just fix" these bugs because people actually _rely_ on these bugs. They are also often unaware that what they're doing is actually incorrect or causes the internal document state to be inconsistent. We therefore have to fix this in a backwards-compatible way: i.e. a hard requirement is that all code written for the current DOM extension keeps working without requiring changes. In short: the main problem is that 20 years of buggy behaviour means that the bugs have become ingrained into the system. Some people have implemented userland DOM libraries on top of the existing DOM extension. However, even userland solutions can't fully work around issues caused by PHP's DOM extension. The real solution is to provide a BC-preserving fix at PHP's side. Roughly 1.5 months ago I merged my HTML 5 RFC [2] into the PHP 8.4 development branch. This RFC introduced new document classes: DOM\HTMLDocument and DOM\XMLDocument. The idea here was to preserve backwards compatibility: if the user wants to keep using HTML 4, they can keep using the DOMDocument class. Also, when the user wants to work with HTML 5 and are currently using workarounds, they can migrate on their own pace (without deprecations or anything) to the new classes. New code can use DOM\{HTML,XML}Document from the start without touching the old classes. The HTML 5 RFC has left us with an interesting opportunity to also introduce the spec bugfixes in a BC-preserving way. The idea is that when the new DOM\{HTML,XML}Document classes are used, then the DOM extension will follow the DOM specification and therefore get rid of bugs. When you are using the DOMDocument class, the old implementations will be used. This means that backwards compatibility is kept. For the past 2.5 weeks I've been working on getting all spec bugs that I know of fixed. The full list of bugs that this proposal fixes can be found here: https://github.com/nielsdos/php-src/blob/dom-spec-compliance-pub/bugs.md. I also found some discussion [3] from some years ago where C. Scott shared a list of problems they encountered at Wikimedia [4]. All behavioural issues are fixed in my PR [5], although my PR could always use more testing. Currently I have tested that existing DOM code does not break (I have tested veewee's XML library, Mensbeam library, some SimpleSAML libraries). I have added tests to test the new spec-compliant behaviour. I also ported some of the WHATWG's WPT DOM tests (DOM spec-compliance testsuite) to PHP and those that I've ported all pass [6]. Implementation PR can be found here: https://github.com/php/php-src/pull/13031 Note that this is not a new extension, but an improvement to the existing DOM extension. As for "why not an entirely new extension?", please see the reasoning in my HTML 5 RFC. All interactions with SimpleXML, XSL, XPath etc will remain possible like you are used to. Implementation-wise, a lot of code internally is shared between the spec-compliant and old implementations. I intend to put this up for RFC. There is however one last detail that needs to be cleared up: what about "type issues"? To give an example of a "type issue": there is a `string DOMNode::$prefix` property. DOM spec tells us that this should be nullable: when there is no prefix for a node, the prefix should return NULL. However, because the property is a string, this currently returns an empty string instead in PHP. Not a big deal maybe, but there's many of these subtle inconsistencies: null vs false return value, arguments that should accept `?string` instead of `string`, etc. Sadly, it's not possible to fix the typing issues for properties and methods for DOMNode, DOMElement, ... because of BC: properties and methods can be overridden. Or is it? Currently, as a result of the HTML 5 RFC, the new DOM\{HTML,XML}Document classes keep using the DOMNode, DOMElement, ... classes. For consistency, the DOMNode etc class were aliased to the DOM namespace, i.e. DOM\Node is an alias for DOMNode, DOM\Element an alias for DOMElement etc. Being an alias, this means that fixing types for DOM\Node is not possible because it's really just another name for DOMNode, so changing it for DOM\Node means changing it for DOMNode. _Unless_ we no longer alias the classes but make them proper classes instead. This means we can fix the typing for DOM\Node while keeping DOMNode untouched, preserving BC. The downside is that it becomes more difficult for interoperability. One of the reasons the HTML 5 RFC introduced aliases instead of proper classes is so that code taking a DOMNode as an argument could also be passed a DOM\Node. However, if we make it a proper class instead, such code has to either transition fully to the new DOM classes _or_ use a type union, e.g. DOMNode|DOM\Node. In my opinion, having them become proper classes instead of aliases has my preference: either we fix everything in one go now while we have the opportunity, or never. Let me know what you think, especially regarding the type issues. Kind regards Niels [1] https://github.com/php/php-src/issues/8388 [2] https://wiki.php.net/rfc/domdocument_html5_parser [3] https://externals.io/message/104687 [4] https://www.mediawiki.org/wiki/Parsoid/PHP/Help_wanted [5] https://github.com/php/php-src/pull/13031 [6] https://github.com/nielsdos/wpt/tree/master/dom/php-out (yes, this is a dirty port)