Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:91806
Return-Path: <daniel@ifixit.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 68805 invoked from network); 21 Mar 2016 06:36:12 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Mar 2016 06:36:12 -0000
Authentication-Results: pb1.pair.com header.from=daniel@ifixit.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=daniel@ifixit.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ifixit.com designates 173.203.6.139 as permitted sender)
X-PHP-List-Original-Sender: daniel@ifixit.com
X-Host-Fingerprint: 173.203.6.139 smtp139.ord.emailsrvr.com Linux 2.6
Received: from [173.203.6.139] ([173.203.6.139:41567] helo=smtp139.ord.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B3/C1-58932-A569FE65 for <internals@lists.php.net>; Mon, 21 Mar 2016 01:36:10 -0500
Received: from smtp18.relay.ord1a.emailsrvr.com (localhost.localdomain [127.0.0.1])
	by smtp18.relay.ord1a.emailsrvr.com (SMTP Server) with ESMTP id AF8883001AA
	for <internals@lists.php.net>; Mon, 21 Mar 2016 02:36:07 -0400 (EDT)
X-Auth-ID: daniel@ifixit.com
Received: by smtp18.relay.ord1a.emailsrvr.com (Authenticated sender: daniel-AT-ifixit.com) with ESMTPSA id 64161300146
	for <internals@lists.php.net>; Mon, 21 Mar 2016 02:36:07 -0400 (EDT)
X-Sender-Id: daniel@ifixit.com
Received: from mail-lb0-f170.google.com (mail-lb0-f170.google.com [209.85.217.170])
	(using TLSv1.2 with cipher AES128-GCM-SHA256)
	by 0.0.0.0:587 (trex/5.5.4);
	Mon, 21 Mar 2016 02:36:07 -0400
Received: by mail-lb0-f170.google.com with SMTP id bc4so120725988lbc.2
        for <internals@lists.php.net>; Sun, 20 Mar 2016 23:36:07 -0700 (PDT)
X-Gm-Message-State: AD7BkJJAe8O5/3Os4GvVKSfmrJQAeGQqfmd6HEDEhGYmHPGkzFtVl1+Ipuj6SvHaISF6g+6koc9cASEexawF+w==
X-Received: by 10.112.14.102 with SMTP id o6mr9891762lbc.87.1458542165975;
 Sun, 20 Mar 2016 23:36:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.16.201 with HTTP; Sun, 20 Mar 2016 23:35:46 -0700 (PDT)
In-Reply-To: <CAGa2bXbjNQXwVsFmGgFVUPCFV-t2Tye+xA3MDNpA_ydjvCQ3jA@mail.gmail.com>
References: <CACNm7o9-6z0rxAAxnWyUFhYU+YD-QnecWrJF-PQ=z+a9qNQ=EA@mail.gmail.com>
 <CAGa2bXbjNQXwVsFmGgFVUPCFV-t2Tye+xA3MDNpA_ydjvCQ3jA@mail.gmail.com>
Date: Sun, 20 Mar 2016 23:35:46 -0700
X-Gmail-Original-Message-ID: <CACNm7o9NNVFrgqeufBoDgyhE-eGQix6bZwq=XGVwsROSXVb5Ag@mail.gmail.com>
Message-ID: <CACNm7o9NNVFrgqeufBoDgyhE-eGQix6bZwq=XGVwsROSXVb5Ag@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] RFC about automatic template escaping
From: daniel@ifixit.com (Daniel Beardsley)

> Issue is "Escaping is done on a specific context".
>
> I understand your proposal is focused on HTML escaping. However,
> setting names like
> __auto_escape_exempt_class
> is not good choice. It has to be
> __auto_html_escape_exempt_class
> at least because it is for HTML escaping.

Yes, the ini settings have poor names and can totally be changed.

> In addition, HTML consists of multiple contexts
>
>  - HTML context that requires HTML escape
>  - URI context that requires URI escape
>  - JavaScript context, embedded JavaScript strings for example , that
>    requires JavaScript string escape, etc.
>    e.g. http://blog.ohgaki.net/javascript-string-escape (Sorry. It's
>    my blog and written in Japanese.
>    You may try translation service or you should be able to understand
>    PHP code at least)
>  - CSS context that requires CSS escape.
>    e.g. https://developer.mozilla.org/ja/docs/Web/API/CSS/escape
>  - And so on

You are right. Though not all those problems are serious:
* HTML attributes:
  Use ENT_QUOTES so that content is escaped well enough
  for use in quoted attributes (still need quotes though)
* URI escaping:
  Does anyone really use <?= ?> or echo when generating a uri?
* Javascript:
  Good point, though I would say it's fairly rare to create javascript
  code using a php template with variables. The most we ever do
  in our app is  <?= json_encode($someArray) ?>
* Eveything else:
  I think the better solution here is to simply let the user control this.
  Provide an ini setting that allows a custom output function to be set
  so the user could control what happens to unsafe strings and what
  the exemptions are. I'm considering doing this. This was html-only
  at the beginning because we only created this for html templates
  and were able to call the internal php functions directly, ginving
  us nearly no performance penalty.

>
> Dealing HTML context only would be problematic even if it works for many cases.
>
> Escaping must be done depends on context. Multiple contexts may apply
> also. HTML context only escaping would not work well.. Applying proper
> escapes to variables in HTML is very complex task..
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net