Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:91807 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 70680 invoked from network); 21 Mar 2016 06:42:06 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Mar 2016 06:42:06 -0000 Authentication-Results: pb1.pair.com header.from=daniel@ifixit.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=daniel@ifixit.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ifixit.com designates 173.203.6.131 as permitted sender) X-PHP-List-Original-Sender: daniel@ifixit.com X-Host-Fingerprint: 173.203.6.131 smtp131.ord.emailsrvr.com Linux 2.6 Received: from [173.203.6.131] ([173.203.6.131:58438] helo=smtp131.ord.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 0E/22-58932-DB79FE65 for ; Mon, 21 Mar 2016 01:42:06 -0500 Received: from smtp21.relay.ord1a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp21.relay.ord1a.emailsrvr.com (SMTP Server) with ESMTP id C7D1C80104 for ; Mon, 21 Mar 2016 02:42:02 -0400 (EDT) X-Auth-ID: daniel@ifixit.com Received: by smtp21.relay.ord1a.emailsrvr.com (Authenticated sender: daniel-AT-ifixit.com) with ESMTPSA id 7C0CF800DE for ; Mon, 21 Mar 2016 02:42:02 -0400 (EDT) X-Sender-Id: daniel@ifixit.com Received: from mail-lb0-f170.google.com (mail-lb0-f170.google.com [209.85.217.170]) (using TLSv1.2 with cipher AES128-GCM-SHA256) by 0.0.0.0:587 (trex/5.5.4); Mon, 21 Mar 2016 02:42:02 -0400 Received: by mail-lb0-f170.google.com with SMTP id k12so120594203lbb.1 for ; Sun, 20 Mar 2016 23:42:02 -0700 (PDT) X-Gm-Message-State: AD7BkJLyi+HSodEu8zcpKTRUTSDEoXs+i0AUIOEcA3/uoX3sKgo30J7PuuCjO/yp4i5YoRA8HBn5MHrdeOXVEQ== X-Received: by 10.112.26.175 with SMTP id m15mr10411490lbg.118.1458542521067; Sun, 20 Mar 2016 23:42:01 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.16.201 with HTTP; Sun, 20 Mar 2016 23:41:41 -0700 (PDT) In-Reply-To: References: Date: Sun, 20 Mar 2016 23:41:41 -0700 X-Gmail-Original-Message-ID: Message-ID: To: Jesse Schalken Cc: Yasuo Ohgaki , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] RFC about automatic template escaping From: daniel@ifixit.com (Daniel Beardsley) > Wouldn't this __auto_escape setting effectively break libraries that depend > on it being on or off? The settings was meant to be turned on *only* during template rendering. So, yes, if outside code is run during your template rendering that also uses templating, but is unaware of auto escaping, things will be double-escaped. In our project, we've never run into this problem. Most php libraries we use aren't in the business of producing strings with php templates. And if they are, we haven't called them during template rendering. > > People often write code to generate HTML like this: > > ob_start(); > ?> > >
some HTML
> >
more HTML
> > > > $html = ob_get_clean(); > > > If that code is in a library, it can't be used with this setting enabled. > That could become a real pain point for the whole PHP ecosystem.