Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:91799 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 48294 invoked from network); 21 Mar 2016 02:35:02 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Mar 2016 02:35:02 -0000 Authentication-Results: pb1.pair.com header.from=php@golemon.com; sender-id=softfail Authentication-Results: pb1.pair.com smtp.mail=php@golemon.com; spf=softfail; sender-id=softfail Received-SPF: softfail (pb1.pair.com: domain golemon.com does not designate 209.85.215.44 as permitted sender) X-PHP-List-Original-Sender: php@golemon.com X-Host-Fingerprint: 209.85.215.44 mail-lf0-f44.google.com Received: from [209.85.215.44] ([209.85.215.44:35383] helo=mail-lf0-f44.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F1/6C-48999-3DD5FE65 for ; Sun, 20 Mar 2016 21:35:00 -0500 Received: by mail-lf0-f44.google.com with SMTP id v130so72154084lfd.2 for ; Sun, 20 Mar 2016 19:34:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=golemon-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=qMjc5CvmbECdsyB9SNFoe25D6IyKfTsC4Ezzp6vaR5o=; b=UvY2Zp/SeVuG8f9ocNz1q581o/DfCAijkXHgP6oy5rQQeb82aM6SiaxNMFl4hoP06i D/mDgcWS7VQR1LOQgxVfC6N3KpRrqtP87PyAE6pR92kJjzPAfr3QtBmIpO6/d9BmWurf XCEp33Q0gngaM8oz9wyngtYemejMHuQQJL6LFi4/OPgSHBaouOTnu1OKPf1C/PVZncUQ rmeuuEwjrLIzdH/QgcUW4BA0GEbVszE+LSM2q85DIdu8IOVk+ZvI17H4NMffqcfcYQOz BEqNeyTpf2pW9YHhYUuLJT4/lyxVMMdb66p/e+7AcC39wnbKfH5ZD52xCnC8UOcA2Zf/ P3pQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=qMjc5CvmbECdsyB9SNFoe25D6IyKfTsC4Ezzp6vaR5o=; b=a0tnB6UCH1dvIRZTxMQ6H8XLRL8T47U4r7MWM48+oynf0vdLkH36tkhUF+RF3IVYzF rti23QpFeyTutf0eaWjDm+vIpYl1u1FFUE2R5XFXmORr00FaY6XRwTEzo2vMUCFqQ6Ih /QNM93L4WN89hawKKZch2hJ+CCkJtbsHgZn238jhmHE1u71lfoLRQmbfooA2vZN/30o/ uLQ8ALLIRQaKFbf4GKIE+obqBNe10U1vq0E98f4RAGH6nsXxbejoDOsl1rxi7ktVZBoj Lw0B3FL5RT+B/cxtM431WFLDpSg20H5zuEwiwFUlBt3Pvv6RnjOfTs/+4Uu+66QZ3o6g QyUg== X-Gm-Message-State: AD7BkJIQSFizwolOAvquNWz4bCBFI4kxqTAT8Mk/25Q4NcwiL1UjBWSO23l11RaJwK/pcKM3sYW0RXQz+8XMzQ== MIME-Version: 1.0 X-Received: by 10.25.218.196 with SMTP id r187mr10227377lfg.6.1458527696195; Sun, 20 Mar 2016 19:34:56 -0700 (PDT) Sender: php@golemon.com Received: by 10.112.18.75 with HTTP; Sun, 20 Mar 2016 19:34:56 -0700 (PDT) X-Originating-IP: [107.198.91.68] In-Reply-To: References: Date: Sun, 20 Mar 2016 19:34:56 -0700 X-Google-Sender-Auth: f170pJEH_a97viTJXZo6obqSA5E Message-ID: To: Daniel Beardsley Cc: PHP internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] RFC about automatic template escaping From: pollita@php.net (Sara Golemon) On Sun, Mar 20, 2016 at 3:11 PM, Daniel Beardsley wrote: > I'd like to submit an RFC (with a pull request) for adding auto-escaping to > the php language. > > T_ECHO (echo, ZEND_AST_ECHO_ESCAPE node in the syntax tree. > Interesting approach, I assume an explicit `echo $foo;` takes the normal ZEND_ECHO route then? > zend_write_escape is a new function pointer that points to > php_escape_write. > Pluggable, good. > The auto-escaping system can be configured with an: > __auto_escape_exempt_class="HtmlString" > I wonder if allowing the classes to declare themselves as exempty (or self-escapable) might be a better approach. e.g. class Foo implements HtmlEscapable { public function htmlEscape() { return htmlentites($this->whatever); } } > Which allows instances of `HtmlString` to pass straight through a > template without being modified (skipping the html_entities call). > IME once you provide an escape hatch, said hatch WILL be used. It's not a question of IF. For my part, I'd toss the idea of XHP ( https://docs.hhvm.com/hack/XHP/introduction ) back into consideration over something like this. This approach has the smell of magic quotes which we got rid of for very good reason. XHP is much more explicit in separating markup from data and relies far less (not at all when you do it right) on escape hatches. -Sara