Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:91799
Return-Path: <php@golemon.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 48294 invoked from network); 21 Mar 2016 02:35:02 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Mar 2016 02:35:02 -0000
Authentication-Results: pb1.pair.com header.from=php@golemon.com; sender-id=softfail
Authentication-Results: pb1.pair.com smtp.mail=php@golemon.com; spf=softfail; sender-id=softfail
Received-SPF: softfail (pb1.pair.com: domain golemon.com does not designate 209.85.215.44 as permitted sender)
X-PHP-List-Original-Sender: php@golemon.com
X-Host-Fingerprint: 209.85.215.44 mail-lf0-f44.google.com  
Received: from [209.85.215.44] ([209.85.215.44:35383] helo=mail-lf0-f44.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F1/6C-48999-3DD5FE65 for <internals@lists.php.net>; Sun, 20 Mar 2016 21:35:00 -0500
Received: by mail-lf0-f44.google.com with SMTP id v130so72154084lfd.2
        for <internals@lists.php.net>; Sun, 20 Mar 2016 19:34:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=golemon-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:cc;
        bh=qMjc5CvmbECdsyB9SNFoe25D6IyKfTsC4Ezzp6vaR5o=;
        b=UvY2Zp/SeVuG8f9ocNz1q581o/DfCAijkXHgP6oy5rQQeb82aM6SiaxNMFl4hoP06i
         D/mDgcWS7VQR1LOQgxVfC6N3KpRrqtP87PyAE6pR92kJjzPAfr3QtBmIpO6/d9BmWurf
         XCEp33Q0gngaM8oz9wyngtYemejMHuQQJL6LFi4/OPgSHBaouOTnu1OKPf1C/PVZncUQ
         rmeuuEwjrLIzdH/QgcUW4BA0GEbVszE+LSM2q85DIdu8IOVk+ZvI17H4NMffqcfcYQOz
         BEqNeyTpf2pW9YHhYUuLJT4/lyxVMMdb66p/e+7AcC39wnbKfH5ZD52xCnC8UOcA2Zf/
         P3pQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:date
         :message-id:subject:from:to:cc;
        bh=qMjc5CvmbECdsyB9SNFoe25D6IyKfTsC4Ezzp6vaR5o=;
        b=a0tnB6UCH1dvIRZTxMQ6H8XLRL8T47U4r7MWM48+oynf0vdLkH36tkhUF+RF3IVYzF
         rti23QpFeyTutf0eaWjDm+vIpYl1u1FFUE2R5XFXmORr00FaY6XRwTEzo2vMUCFqQ6Ih
         /QNM93L4WN89hawKKZch2hJ+CCkJtbsHgZn238jhmHE1u71lfoLRQmbfooA2vZN/30o/
         uLQ8ALLIRQaKFbf4GKIE+obqBNe10U1vq0E98f4RAGH6nsXxbejoDOsl1rxi7ktVZBoj
         Lw0B3FL5RT+B/cxtM431WFLDpSg20H5zuEwiwFUlBt3Pvv6RnjOfTs/+4Uu+66QZ3o6g
         QyUg==
X-Gm-Message-State: AD7BkJIQSFizwolOAvquNWz4bCBFI4kxqTAT8Mk/25Q4NcwiL1UjBWSO23l11RaJwK/pcKM3sYW0RXQz+8XMzQ==
MIME-Version: 1.0
X-Received: by 10.25.218.196 with SMTP id r187mr10227377lfg.6.1458527696195;
 Sun, 20 Mar 2016 19:34:56 -0700 (PDT)
Sender: php@golemon.com
Received: by 10.112.18.75 with HTTP; Sun, 20 Mar 2016 19:34:56 -0700 (PDT)
X-Originating-IP: [107.198.91.68]
In-Reply-To: <CACNm7o9-6z0rxAAxnWyUFhYU+YD-QnecWrJF-PQ=z+a9qNQ=EA@mail.gmail.com>
References: <CACNm7o9-6z0rxAAxnWyUFhYU+YD-QnecWrJF-PQ=z+a9qNQ=EA@mail.gmail.com>
Date: Sun, 20 Mar 2016 19:34:56 -0700
X-Google-Sender-Auth: f170pJEH_a97viTJXZo6obqSA5E
Message-ID: <CAESVnVprfe-0n7kq5JdoW3jVsb1jLZ+MSenQbZZJKjAXJh6NDA@mail.gmail.com>
To: Daniel Beardsley <daniel@ifixit.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] RFC about automatic template escaping
From: pollita@php.net (Sara Golemon)

On Sun, Mar 20, 2016 at 3:11 PM, Daniel Beardsley <daniel@ifixit.com> wrote:
> I'd like to submit an RFC (with a pull request) for adding auto-escaping to
> the php language.
>
> T_ECHO (echo, <?=) and T_PRINT (print) now both emit a
> ZEND_AST_ECHO_ESCAPE node in the syntax tree.
>
Interesting approach, I assume an explicit `echo $foo;` takes the
normal ZEND_ECHO route then?

> zend_write_escape is a new function pointer that points to
> php_escape_write.
>
Pluggable, good.

> The auto-escaping system can be configured with an:
> __auto_escape_exempt_class="HtmlString"
>
I wonder if allowing the classes to declare themselves as exempty (or
self-escapable) might be a better approach.

e.g.
class Foo implements HtmlEscapable {
  public function htmlEscape() {
    return htmlentites($this->whatever);
  }
}

> Which allows instances of `HtmlString` to pass straight through a
> template without being modified (skipping the html_entities call).
>
IME once you provide an escape hatch, said hatch WILL be used.  It's
not a question of IF.

For my part, I'd toss the idea of XHP (
https://docs.hhvm.com/hack/XHP/introduction ) back into consideration
over something like this.

This approach has the smell of magic quotes which we got rid of for
very good reason.  XHP is much more explicit in separating markup from
data and relies far less (not at all when you do it right) on escape
hatches.

-Sara