Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:91800
Return-Path: <jesseschalken@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 52846 invoked from network); 21 Mar 2016 04:11:59 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Mar 2016 04:11:59 -0000
Authentication-Results: pb1.pair.com header.from=jesseschalken@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=jesseschalken@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.182 as permitted sender)
X-PHP-List-Original-Sender: jesseschalken@gmail.com
X-Host-Fingerprint: 209.85.223.182 mail-io0-f182.google.com  
Received: from [209.85.223.182] ([209.85.223.182:33187] helo=mail-io0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8C/DC-48999-E847FE65 for <internals@lists.php.net>; Sun, 20 Mar 2016 23:11:58 -0500
Received: by mail-io0-f182.google.com with SMTP id c63so18351718iof.0
        for <internals@lists.php.net>; Sun, 20 Mar 2016 21:11:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:cc;
        bh=gdEb+5BApOokn1KcSCLRjslKVeVw8JMfP8HP6lYeY9c=;
        b=FXJLJUZWeab3JV7/zP51huvpXdO2gDmfhkHNY977hllmI57YPrAu4p+ob5tu7JwjTZ
         in4+7VXc0jp5w2z5I97Tsm1TlwVryNfn1LU1rilF9t+QZB8B/z+/l4X1xidjbb7JIghz
         t81jqkE3qmW8NgXEUT5bvKVEFYeDWshAB2LOKcBpVichCB995+Eaa/duOfsVxTTXBL18
         pk8+U5JJmwgzGhSqe/CCT3USzjy5ZfHBlMZL0GMZcHjleBCFc+vaJza1NuuDW4FFHBRZ
         c86Lz8yu+vKCc91GC9fQlK4t1vw2EKMHxoKasfxRmgC4ByGbl/o60244pATqnLrbQQda
         Y2fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:date
         :message-id:subject:from:to:cc;
        bh=gdEb+5BApOokn1KcSCLRjslKVeVw8JMfP8HP6lYeY9c=;
        b=lk4BpCtmniaFj72xWPRKad/wcSMbXG/iTriV5Da03BqqVTP1cPNS/itssiP3VGVKIH
         1poN5UO7KQAPabMINaL/UF8xOcBGLzNnFsBB2Uj0i5BRcyFa7keLTgiiua7QuILII+nf
         3RfRWqoU3Ssfeaq4JN2j58UeHVsEQAWxnPPBhSCi7BMQkDayd8A0v/Rx9hS7a7EKo5GX
         2g1SOSxxWpyW36W5HABiBkb8FzlmMhkGcfpst4a4NrM5pV3wiOMwbD8PTIHB4mM4156q
         FEOyPOBzdsxg8vlatSYijEFsZ6ZwNwlR4lzUrnDZpA5D2fjtKnang0s0iKfoDUDb+Gs4
         tYQA==
X-Gm-Message-State: AD7BkJLfRyyfN/zFfAJcIEKHi/Gi4dHvCFp9lRIzD5/l1G8LIWWHfJ1WM7TWAPsyS/90mXYsoQUVdp+y+aE+tA==
MIME-Version: 1.0
X-Received: by 10.107.9.10 with SMTP id j10mr26616166ioi.104.1458533515821;
 Sun, 20 Mar 2016 21:11:55 -0700 (PDT)
Sender: jesseschalken@gmail.com
Received: by 10.79.100.199 with HTTP; Sun, 20 Mar 2016 21:11:55 -0700 (PDT)
Received: by 10.79.100.199 with HTTP; Sun, 20 Mar 2016 21:11:55 -0700 (PDT)
In-Reply-To: <CAESVnVprfe-0n7kq5JdoW3jVsb1jLZ+MSenQbZZJKjAXJh6NDA@mail.gmail.com>
References: <CACNm7o9-6z0rxAAxnWyUFhYU+YD-QnecWrJF-PQ=z+a9qNQ=EA@mail.gmail.com>
	<CAESVnVprfe-0n7kq5JdoW3jVsb1jLZ+MSenQbZZJKjAXJh6NDA@mail.gmail.com>
Date: Mon, 21 Mar 2016 15:11:55 +1100
X-Google-Sender-Auth: Avj2hPKT10GLRV3AvA057Y9-O5E
Message-ID: <CAF1yvAQSAQ5K0oQ6yC5==o1TLaQE8Ume9SuFo34MQou3wbPNAw@mail.gmail.com>
To: Sara Golemon <pollita@php.net>
Cc: Daniel Beardsley <daniel@ifixit.com>, internals@lists.php.net
Content-Type: multipart/alternative; boundary=001a113f9b6a1abf7d052e874cde
Subject: Re: [PHP-DEV] RFC about automatic template escaping
From: me@jesseschalken.com (Jesse Schalken)

--001a113f9b6a1abf7d052e874cde
Content-Type: text/plain; charset=UTF-8

I agree XHP really is the right solution for this problem. It enables HTML
to be created structurally and composably with a concise inline syntax,
just like JSX/React does for JavaScript, and just like LINQ does for SQL in
C#. It's* much* better than passing around snippets of HTML as strings that
can easily break.
On Sun, Mar 20, 2016 at 3:11 PM, Daniel Beardsley <daniel@ifixit.com> wrote:
> I'd like to submit an RFC (with a pull request) for adding auto-escaping
to
> the php language.
>
> T_ECHO (echo, <?=) and T_PRINT (print) now both emit a
> ZEND_AST_ECHO_ESCAPE node in the syntax tree.
>
Interesting approach, I assume an explicit `echo $foo;` takes the
normal ZEND_ECHO route then?

> zend_write_escape is a new function pointer that points to
> php_escape_write.
>
Pluggable, good.

> The auto-escaping system can be configured with an:
> __auto_escape_exempt_class="HtmlString"
>
I wonder if allowing the classes to declare themselves as exempty (or
self-escapable) might be a better approach.

e.g.
class Foo implements HtmlEscapable {
  public function htmlEscape() {
    return htmlentites($this->whatever);
  }
}

> Which allows instances of `HtmlString` to pass straight through a
> template without being modified (skipping the html_entities call).
>
IME once you provide an escape hatch, said hatch WILL be used.  It's
not a question of IF.

For my part, I'd toss the idea of XHP (
https://docs.hhvm.com/hack/XHP/introduction ) back into consideration
over something like this.

This approach has the smell of magic quotes which we got rid of for
very good reason.  XHP is much more explicit in separating markup from
data and relies far less (not at all when you do it right) on escape
hatches.

-Sara

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

--001a113f9b6a1abf7d052e874cde--