Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:91807
Return-Path: <daniel@ifixit.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 70680 invoked from network); 21 Mar 2016 06:42:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Mar 2016 06:42:06 -0000
Authentication-Results: pb1.pair.com header.from=daniel@ifixit.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=daniel@ifixit.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ifixit.com designates 173.203.6.131 as permitted sender)
X-PHP-List-Original-Sender: daniel@ifixit.com
X-Host-Fingerprint: 173.203.6.131 smtp131.ord.emailsrvr.com Linux 2.6
Received: from [173.203.6.131] ([173.203.6.131:58438] helo=smtp131.ord.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0E/22-58932-DB79FE65 for <internals@lists.php.net>; Mon, 21 Mar 2016 01:42:06 -0500
Received: from smtp21.relay.ord1a.emailsrvr.com (localhost.localdomain [127.0.0.1])
	by smtp21.relay.ord1a.emailsrvr.com (SMTP Server) with ESMTP id C7D1C80104
	for <internals@lists.php.net>; Mon, 21 Mar 2016 02:42:02 -0400 (EDT)
X-Auth-ID: daniel@ifixit.com
Received: by smtp21.relay.ord1a.emailsrvr.com (Authenticated sender: daniel-AT-ifixit.com) with ESMTPSA id 7C0CF800DE
	for <internals@lists.php.net>; Mon, 21 Mar 2016 02:42:02 -0400 (EDT)
X-Sender-Id: daniel@ifixit.com
Received: from mail-lb0-f170.google.com (mail-lb0-f170.google.com [209.85.217.170])
	(using TLSv1.2 with cipher AES128-GCM-SHA256)
	by 0.0.0.0:587 (trex/5.5.4);
	Mon, 21 Mar 2016 02:42:02 -0400
Received: by mail-lb0-f170.google.com with SMTP id k12so120594203lbb.1
        for <internals@lists.php.net>; Sun, 20 Mar 2016 23:42:02 -0700 (PDT)
X-Gm-Message-State: AD7BkJLyi+HSodEu8zcpKTRUTSDEoXs+i0AUIOEcA3/uoX3sKgo30J7PuuCjO/yp4i5YoRA8HBn5MHrdeOXVEQ==
X-Received: by 10.112.26.175 with SMTP id m15mr10411490lbg.118.1458542521067;
 Sun, 20 Mar 2016 23:42:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.16.201 with HTTP; Sun, 20 Mar 2016 23:41:41 -0700 (PDT)
In-Reply-To: <CAF1yvAR3DP_i8Q-8Qk3hxtE7=YCLF+pTCLvs2-WUqCqp5B2Pgw@mail.gmail.com>
References: <CACNm7o9-6z0rxAAxnWyUFhYU+YD-QnecWrJF-PQ=z+a9qNQ=EA@mail.gmail.com>
 <CAGa2bXbjNQXwVsFmGgFVUPCFV-t2Tye+xA3MDNpA_ydjvCQ3jA@mail.gmail.com> <CAF1yvAR3DP_i8Q-8Qk3hxtE7=YCLF+pTCLvs2-WUqCqp5B2Pgw@mail.gmail.com>
Date: Sun, 20 Mar 2016 23:41:41 -0700
X-Gmail-Original-Message-ID: <CACNm7o_WcbUwJtdBXmrKpO8AqPz0FBPH+iNgFybrHF1gqcJhQw@mail.gmail.com>
Message-ID: <CACNm7o_WcbUwJtdBXmrKpO8AqPz0FBPH+iNgFybrHF1gqcJhQw@mail.gmail.com>
To: Jesse Schalken <me@jesseschalken.com>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] RFC about automatic template escaping
From: daniel@ifixit.com (Daniel Beardsley)

> Wouldn't this __auto_escape setting effectively break libraries that depend
> on it being on or off?

The settings was meant to be turned on *only* during template
rendering. So, yes, if outside code is run during your template
rendering that also uses templating, but is unaware of
auto escaping, things will be double-escaped.

In our project, we've never run into this problem. Most php
libraries we use aren't in the business of producing strings
with php templates. And if they are, we haven't called them
during template rendering.

>
> People often write code to generate HTML like this:
>
> ob_start();
> ?>
>
> <div>some HTML <?= escape_html($other_text) ?></div>
>
> <div>more HTML <?= $other_html ?></div>
>
> <!-- etc -->
>
> <?php
> $html = ob_get_clean();
>
>
> If that code is in a library, it can't be used with this setting enabled.
> That could become a real pain point for the whole PHP ecosystem.