Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:91800 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 52846 invoked from network); 21 Mar 2016 04:11:59 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Mar 2016 04:11:59 -0000 Authentication-Results: pb1.pair.com header.from=jesseschalken@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=jesseschalken@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.182 as permitted sender) X-PHP-List-Original-Sender: jesseschalken@gmail.com X-Host-Fingerprint: 209.85.223.182 mail-io0-f182.google.com Received: from [209.85.223.182] ([209.85.223.182:33187] helo=mail-io0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 8C/DC-48999-E847FE65 for ; Sun, 20 Mar 2016 23:11:58 -0500 Received: by mail-io0-f182.google.com with SMTP id c63so18351718iof.0 for ; Sun, 20 Mar 2016 21:11:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=gdEb+5BApOokn1KcSCLRjslKVeVw8JMfP8HP6lYeY9c=; b=FXJLJUZWeab3JV7/zP51huvpXdO2gDmfhkHNY977hllmI57YPrAu4p+ob5tu7JwjTZ in4+7VXc0jp5w2z5I97Tsm1TlwVryNfn1LU1rilF9t+QZB8B/z+/l4X1xidjbb7JIghz t81jqkE3qmW8NgXEUT5bvKVEFYeDWshAB2LOKcBpVichCB995+Eaa/duOfsVxTTXBL18 pk8+U5JJmwgzGhSqe/CCT3USzjy5ZfHBlMZL0GMZcHjleBCFc+vaJza1NuuDW4FFHBRZ c86Lz8yu+vKCc91GC9fQlK4t1vw2EKMHxoKasfxRmgC4ByGbl/o60244pATqnLrbQQda Y2fg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=gdEb+5BApOokn1KcSCLRjslKVeVw8JMfP8HP6lYeY9c=; b=lk4BpCtmniaFj72xWPRKad/wcSMbXG/iTriV5Da03BqqVTP1cPNS/itssiP3VGVKIH 1poN5UO7KQAPabMINaL/UF8xOcBGLzNnFsBB2Uj0i5BRcyFa7keLTgiiua7QuILII+nf 3RfRWqoU3Ssfeaq4JN2j58UeHVsEQAWxnPPBhSCi7BMQkDayd8A0v/Rx9hS7a7EKo5GX 2g1SOSxxWpyW36W5HABiBkb8FzlmMhkGcfpst4a4NrM5pV3wiOMwbD8PTIHB4mM4156q FEOyPOBzdsxg8vlatSYijEFsZ6ZwNwlR4lzUrnDZpA5D2fjtKnang0s0iKfoDUDb+Gs4 tYQA== X-Gm-Message-State: AD7BkJLfRyyfN/zFfAJcIEKHi/Gi4dHvCFp9lRIzD5/l1G8LIWWHfJ1WM7TWAPsyS/90mXYsoQUVdp+y+aE+tA== MIME-Version: 1.0 X-Received: by 10.107.9.10 with SMTP id j10mr26616166ioi.104.1458533515821; Sun, 20 Mar 2016 21:11:55 -0700 (PDT) Sender: jesseschalken@gmail.com Received: by 10.79.100.199 with HTTP; Sun, 20 Mar 2016 21:11:55 -0700 (PDT) Received: by 10.79.100.199 with HTTP; Sun, 20 Mar 2016 21:11:55 -0700 (PDT) In-Reply-To: References: Date: Mon, 21 Mar 2016 15:11:55 +1100 X-Google-Sender-Auth: Avj2hPKT10GLRV3AvA057Y9-O5E Message-ID: To: Sara Golemon Cc: Daniel Beardsley , internals@lists.php.net Content-Type: multipart/alternative; boundary=001a113f9b6a1abf7d052e874cde Subject: Re: [PHP-DEV] RFC about automatic template escaping From: me@jesseschalken.com (Jesse Schalken) --001a113f9b6a1abf7d052e874cde Content-Type: text/plain; charset=UTF-8 I agree XHP really is the right solution for this problem. It enables HTML to be created structurally and composably with a concise inline syntax, just like JSX/React does for JavaScript, and just like LINQ does for SQL in C#. It's* much* better than passing around snippets of HTML as strings that can easily break. On Sun, Mar 20, 2016 at 3:11 PM, Daniel Beardsley wrote: > I'd like to submit an RFC (with a pull request) for adding auto-escaping to > the php language. > > T_ECHO (echo, ZEND_AST_ECHO_ESCAPE node in the syntax tree. > Interesting approach, I assume an explicit `echo $foo;` takes the normal ZEND_ECHO route then? > zend_write_escape is a new function pointer that points to > php_escape_write. > Pluggable, good. > The auto-escaping system can be configured with an: > __auto_escape_exempt_class="HtmlString" > I wonder if allowing the classes to declare themselves as exempty (or self-escapable) might be a better approach. e.g. class Foo implements HtmlEscapable { public function htmlEscape() { return htmlentites($this->whatever); } } > Which allows instances of `HtmlString` to pass straight through a > template without being modified (skipping the html_entities call). > IME once you provide an escape hatch, said hatch WILL be used. It's not a question of IF. For my part, I'd toss the idea of XHP ( https://docs.hhvm.com/hack/XHP/introduction ) back into consideration over something like this. This approach has the smell of magic quotes which we got rid of for very good reason. XHP is much more explicit in separating markup from data and relies far less (not at all when you do it right) on escape hatches. -Sara -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php --001a113f9b6a1abf7d052e874cde--