Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:91797 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 35520 invoked from network); 20 Mar 2016 22:30:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Mar 2016 22:30:07 -0000 Received: from [127.0.0.1] ([127.0.0.1:1758]) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ECSTREAM id 9C/DA-48999-E642FE65 for ; Sun, 20 Mar 2016 17:30:06 -0500 Authentication-Results: pb1.pair.com smtp.mail=daniel@ifixit.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=daniel@ifixit.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ifixit.com designates 173.203.6.139 as permitted sender) X-PHP-List-Original-Sender: daniel@ifixit.com X-Host-Fingerprint: 173.203.6.139 smtp139.ord.emailsrvr.com Linux 2.6 Received: from [173.203.6.139] ([173.203.6.139:46829] helo=smtp139.ord.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 86/DA-48999-1302FE65 for ; Sun, 20 Mar 2016 17:12:02 -0500 Received: from smtp22.relay.ord1a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp22.relay.ord1a.emailsrvr.com (SMTP Server) with ESMTP id 0CA331000AD for ; Sun, 20 Mar 2016 18:11:59 -0400 (EDT) X-Auth-ID: daniel@ifixit.com Received: by smtp22.relay.ord1a.emailsrvr.com (Authenticated sender: daniel-AT-ifixit.com) with ESMTPSA id 7BF8210009D for ; Sun, 20 Mar 2016 18:11:58 -0400 (EDT) X-Sender-Id: daniel@ifixit.com Received: from mail-lf0-f47.google.com (mail-lf0-f47.google.com [209.85.215.47]) (using TLSv1.2 with cipher AES128-GCM-SHA256) by 0.0.0.0:587 (trex/5.5.4); Sun, 20 Mar 2016 18:11:59 -0400 Received: by mail-lf0-f47.google.com with SMTP id d82so51040152lfe.3 for ; Sun, 20 Mar 2016 15:11:58 -0700 (PDT) X-Gm-Message-State: AD7BkJIbSWBjlhWCf9/XX9BfjtNRX6eN77YjXXDLLbDh5XZL7dq5A2zhq7AOF5PsJCFk0v2O+/RGUduNqaAV2w== X-Received: by 10.25.146.197 with SMTP id u188mr9580943lfd.139.1458511916866; Sun, 20 Mar 2016 15:11:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.16.201 with HTTP; Sun, 20 Mar 2016 15:11:37 -0700 (PDT) Date: Sun, 20 Mar 2016 15:11:37 -0700 X-Gmail-Original-Message-ID: Message-ID: To: internals@lists.php.net Content-Type: multipart/alternative; boundary=001a114035aeb4a6aa052e8244a1 Subject: RFC about automatic template escaping From: daniel@ifixit.com (Daniel Beardsley) --001a114035aeb4a6aa052e8244a1 Content-Type: text/plain; charset=UTF-8 I'd like to submit an RFC (with a pull request) for adding auto-escaping to the php language. We at iFixit.com have used PHP for nearly a decade to run our website. Several years ago, we abandoned the Smarty templating engine and used php files directly as templates. This worked, but was a bit unsafe and made it too easy to leave user submitted content unescaped. Several years ago we switched to using a modified version of PHP that included auto-escaping and it has been working great. In the process of preparing to use php 7, I've re-implemented the changes against the master branch. I'd like to gauge interest in this before I formally submit an RFC. Here's a somewhat better description that I've attached to a pull request on our internal fork of php. Pull request on internal fork: https://github.com/iFixit/php-src/pull/14 Background ========== PHP doesn't have any mechanism to inject logic between templating and final output. There is no way to filter or alter the content that comes from code in templates like: To use php as a robust templataing language, we must inject *some* logic between templates and their output. We have chosen to make all html = $html; } public function __toString() { return (string)$this->html; } public function jsonSerialize() { return $this->html; } } The auto-escaping system can be configured with an: __auto_escape_exempt_class="HtmlString" Which allows instances of `HtmlString` to pass straight through a template without being modified (skipping the html_entities call). Helper functions can now return html safely and consumers don't have to care if it is HTML or not because the auto-escaping system knows what to do. Thanks for your consideration! Daniel Beardsley --001a114035aeb4a6aa052e8244a1--