Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63597 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 32908 invoked from network); 22 Oct 2012 03:47:05 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Oct 2012 03:47:05 -0000 Authentication-Results: pb1.pair.com smtp.mail=theanomaly.is@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=theanomaly.is@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender) X-PHP-List-Original-Sender: theanomaly.is@gmail.com X-Host-Fingerprint: 209.85.215.42 mail-la0-f42.google.com Received: from [209.85.215.42] ([209.85.215.42:37029] helo=mail-la0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 64/F3-08794-7B1C4805 for ; Sun, 21 Oct 2012 23:47:04 -0400 Received: by mail-la0-f42.google.com with SMTP id e6so1427158lah.29 for ; Sun, 21 Oct 2012 20:47:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6OM8VMY4jbIwVnbrpHgKi5Do/fqTMi782elPcRl3ML4=; b=CLYNAffl4GFsYhAXohWegygrqz+LGM3DrbCKGKpt9WDbokzkk2y2R8l5XdkciJ4B7Y YekUwhIV/QhhtBbabcRz9VXS4Sa0Cid7YLryJ7ddAfkZ78DSUHz34NAe8cDpsZz5AoB6 +wVOJj7ZG8AGkwtGvu6+7HAdDdm1aol2GB4UZ1+U/WZ4K+zTGLn117suxsg1s5Q/ilRS IO/5ClhXX1PvrffRseEwxDTf8+CiHWtQ7gy+l1YGK5dXlocNB1Kmb+yYPzThah/DBLiD BSFZqtKHFMvtUeSh6m/kz+Dn7PwUv3rsR57hNFC+bQ5v+qh333TuLTqM1kPpI5W5YZtS 5EGg== MIME-Version: 1.0 Received: by 10.152.135.139 with SMTP id ps11mr6949172lab.29.1350877620129; Sun, 21 Oct 2012 20:47:00 -0700 (PDT) Received: by 10.112.102.231 with HTTP; Sun, 21 Oct 2012 20:47:00 -0700 (PDT) In-Reply-To: <50842A5A.2020507@sugarcrm.com> References: <50842A5A.2020507@sugarcrm.com> Date: Sun, 21 Oct 2012 23:47:00 -0400 Message-ID: To: Stas Malyshev Cc: Charlie Somerville , "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] HTML escaped short echo tag From: theanomaly.is@gmail.com (Sherif Ramadan) On Sun, Oct 21, 2012 at 1:01 PM, Stas Malyshev wrote: > Hi! > >> I'd like to propose a new short tag that echos with HTML escaping. > > What is "HTML escaping"? Different contexts need different escaping. For > outside tags it's one escaping, for tag attribute it's another, for JS > code context - yet another. Selecting just one use case and integrating > it into the language is a bad idea - since you are basically saying > everybody should use this specific case in any case, which is wrong. > >> The new tag should be just as short and easy to type as > a fan of > Personally I'm hugely *not* a fan of more obscure syntax in PHP. > Especially one that will quickly lead people into writing insecure code > because of applying wrong escaping function for the context. I completely agree. Adding a new syntax for automatic escaping (even if configurable -- yay more php.ini!) is not going to change anyone's mindset from defensive to offensive stance in my opinion. If you have a template which generates javascript, css, and x/html all from the same PHP file you get a lot of confusing having to deal with some new syntax where users now have to be considerate of what output syntax decides on what escape method. For this most user-space implementations (frameworks like you mentioned) do a fine job of identifying these common use cases and providing a common solution. There's the taint approach which could allow a framework to automatically figure out which variables are tainted and should be escaped and which aren't and can pass through cleanly. PHP doesn't need to get in the way here. I think the existing userland implementations should do fine if they get it right. > -- > Stanislav Malyshev, Software Architect > SugarCRM: http://www.sugarcrm.com/ > (408)454-6900 ext. 227 > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >