Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:91797
Return-Path: <daniel@ifixit.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 35520 invoked from network); 20 Mar 2016 22:30:07 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Mar 2016 22:30:07 -0000
Received: from [127.0.0.1] ([127.0.0.1:1758])
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ECSTREAM
	id 9C/DA-48999-E642FE65 for <internals@lists.php.net>; Sun, 20 Mar 2016 17:30:06 -0500
Authentication-Results: pb1.pair.com smtp.mail=daniel@ifixit.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=daniel@ifixit.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ifixit.com designates 173.203.6.139 as permitted sender)
X-PHP-List-Original-Sender: daniel@ifixit.com
X-Host-Fingerprint: 173.203.6.139 smtp139.ord.emailsrvr.com Linux 2.6
Received: from [173.203.6.139] ([173.203.6.139:46829] helo=smtp139.ord.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 86/DA-48999-1302FE65 for <internals@lists.php.net>; Sun, 20 Mar 2016 17:12:02 -0500
Received: from smtp22.relay.ord1a.emailsrvr.com (localhost.localdomain [127.0.0.1])
	by smtp22.relay.ord1a.emailsrvr.com (SMTP Server) with ESMTP id 0CA331000AD
	for <internals@lists.php.net>; Sun, 20 Mar 2016 18:11:59 -0400 (EDT)
X-Auth-ID: daniel@ifixit.com
Received: by smtp22.relay.ord1a.emailsrvr.com (Authenticated sender: daniel-AT-ifixit.com) with ESMTPSA id 7BF8210009D
	for <internals@lists.php.net>; Sun, 20 Mar 2016 18:11:58 -0400 (EDT)
X-Sender-Id: daniel@ifixit.com
Received: from mail-lf0-f47.google.com (mail-lf0-f47.google.com [209.85.215.47])
	(using TLSv1.2 with cipher AES128-GCM-SHA256)
	by 0.0.0.0:587 (trex/5.5.4);
	Sun, 20 Mar 2016 18:11:59 -0400
Received: by mail-lf0-f47.google.com with SMTP id d82so51040152lfe.3
        for <internals@lists.php.net>; Sun, 20 Mar 2016 15:11:58 -0700 (PDT)
X-Gm-Message-State: AD7BkJIbSWBjlhWCf9/XX9BfjtNRX6eN77YjXXDLLbDh5XZL7dq5A2zhq7AOF5PsJCFk0v2O+/RGUduNqaAV2w==
X-Received: by 10.25.146.197 with SMTP id u188mr9580943lfd.139.1458511916866;
 Sun, 20 Mar 2016 15:11:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.16.201 with HTTP; Sun, 20 Mar 2016 15:11:37 -0700 (PDT)
Date: Sun, 20 Mar 2016 15:11:37 -0700
X-Gmail-Original-Message-ID: <CACNm7o9-6z0rxAAxnWyUFhYU+YD-QnecWrJF-PQ=z+a9qNQ=EA@mail.gmail.com>
Message-ID: <CACNm7o9-6z0rxAAxnWyUFhYU+YD-QnecWrJF-PQ=z+a9qNQ=EA@mail.gmail.com>
To: internals@lists.php.net
Content-Type: multipart/alternative; boundary=001a114035aeb4a6aa052e8244a1
Subject: RFC about automatic template escaping
From: daniel@ifixit.com (Daniel Beardsley)

--001a114035aeb4a6aa052e8244a1
Content-Type: text/plain; charset=UTF-8

I'd like to submit an RFC (with a pull request) for adding auto-escaping to
the php language.

We at iFixit.com have used PHP for nearly a decade to run our website.
Several years ago, we abandoned the Smarty templating engine and used php
files directly as templates. This worked, but was a bit unsafe and made it
too easy to leave user submitted content unescaped. Several years ago we
switched to using a modified version of PHP that included auto-escaping and
it has been working great. In the process of preparing to use php 7, I've
re-implemented the changes against the master branch.

I'd like to gauge interest in this before I formally submit an RFC. Here's
a somewhat better description that I've attached to a pull request on our
internal fork of php.

Pull request on internal fork: https://github.com/iFixit/php-src/pull/14

Background
==========
PHP doesn't have any mechanism to inject logic between templating
and final output. There is no way to filter or alter the content
that comes from code in templates like: <?= $someVar ?>

To use php as a robust templataing language, we must inject *some*
logic between templates and their output. We have chosen to make
all <?=, echo, and print statements subject to an optional
trip through the internal function php_escape_html_entitiles.

The functionality can be toggled with `ini_set('__auto_escape')`
and configured with `__auto_escape_flags` and
`__auto_escape_exempt_class` (see commit
https://github.com/iFixit/php-src/commit/2dae5d16436ce37856f6e00ca2a1b3009bb1f7ed
for info about the class name based auto-escaping exemption.

Methodology
===========
T_ECHO (echo, <?=) and T_PRINT (print) now both emit a
ZEND_AST_ECHO_ESCAPE node in the syntax tree.

That's compiled to a function which emits a ZEND_ECHO_ESCAPE op code.

The op code interpretation is a dupe of ZEND_ECHO except with some
if() statements that switch the underlying function from `zend_write`
to `zend_write_escape` based on the ini settings.

zend_write_escape is a new function pointer that points to
php_escape_write.

php_escape_write is a new function that passes it's string argument
through php_escape_html_entities() (with __auto_escape_flags) before
calling the underlying php_output_write.

Use
===
This functionality allows us to safely use php straight as a
templating language with no template compilation step (as many
other templating libraries have).

See the included tests for more usage information.

Exempt Class
============
It is useful to allow some utility functions and helpers to produce
html and have it passed straight through in the template (without
being double-encoded). We accomplish this by *tagging* strings
as being HTML.

    class HtmlString implements JsonSerializable {
       protected $html = '';

       public function __construct($html) {
          $this->html = $html;
       }

       public function __toString() {
          return (string)$this->html;
       }

       public function jsonSerialize() {
          return $this->html;
       }
    }

The auto-escaping system can be configured with an:
__auto_escape_exempt_class="HtmlString"

Which allows instances of `HtmlString` to pass straight through a
template without being modified (skipping the html_entities call).
Helper functions can now return html safely and consumers don't have
to care if it is HTML or not because the auto-escaping system knows
what to do.

Thanks for your consideration!
Daniel Beardsley

--001a114035aeb4a6aa052e8244a1--