Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:91809 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 74642 invoked from network); 21 Mar 2016 07:15:02 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Mar 2016 07:15:02 -0000 Authentication-Results: pb1.pair.com smtp.mail=jesseschalken@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=jesseschalken@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.180 as permitted sender) X-PHP-List-Original-Sender: jesseschalken@gmail.com X-Host-Fingerprint: 209.85.223.180 mail-io0-f180.google.com Received: from [209.85.223.180] ([209.85.223.180:35051] helo=mail-io0-f180.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DA/E2-58932-57F9FE65 for ; Mon, 21 Mar 2016 02:15:01 -0500 Received: by mail-io0-f180.google.com with SMTP id o5so116363337iod.2 for ; Mon, 21 Mar 2016 00:15:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=dIjfCUs+W2TFAi5ivSBUleKTlbB0jANksZg+14yBfq4=; b=u2LloTfVMoNNBY4O8AzCkiyatoKtKZS9IMj9f4DWIdvhkZMm/s8CXkLYJrSVxCOOVh WRmgvllXv+mhblvvaar/dKi24tggPVlrzu5F0wdxi+DJwC6TUI/z5IM905tFJvzS5TYK N75jnLm4x+1lqGngMFnkfQoR36rbkpxDUsBiUEdhr2MK6Bu1zC9fd/g8MHCodnFVoVDn 8A1HghHijuxGgxMBDDK6gxSynezcKOF9/v8FUOiox/oHzru5ZFRfzEzPPk8bvmd5MaRt X7tiHLcOkw2CWZxFM4PCdq18/UHtqsRWeQEHfNeo0nh9g1hB1PE3Jf2sCSfYIDK/pqZt 2+3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=dIjfCUs+W2TFAi5ivSBUleKTlbB0jANksZg+14yBfq4=; b=APtGOI25fCvs9oixYxdaiJcrdIhAhGFN7sWtW40913V3SGpZbTXdPAgLu6/i9mIawQ FSSIleziu/QxTcM9GHdbT63yPYG3OgocnlbfXvS7rwrkaUIaeKDGq+EIhLlSBAscH6K+ IqrroM4888hUd5YNTcXvknJNF5mhRx5VQylTOtIs0wjVEU/oGrtbl4Kn7l6SNVJrPLeL qtFUf8blrDwqGVN3XLlFHjJx1lFXP2VM6t8r3HlZqdhDvAjvHZtyY7IiWu6I1ApQdEXA MR3517OJ/C4sxw04b4PfIzaxAXONfxtqCjvSNEC9qby6yceUlho3rA7/XblxUs+7K2Rc xZwA== X-Gm-Message-State: AD7BkJK/B8zQbU1mrDElVIwYYrg5ypLVX6KN/HDXM0L7jvpEQ/4D8rlom5p6oJI18iFZwUICd2Ds7gKFOCU7Ng== MIME-Version: 1.0 X-Received: by 10.107.164.229 with SMTP id d98mr11593504ioj.151.1458544498913; Mon, 21 Mar 2016 00:14:58 -0700 (PDT) Sender: jesseschalken@gmail.com Received: by 10.79.100.199 with HTTP; Mon, 21 Mar 2016 00:14:58 -0700 (PDT) In-Reply-To: References: Date: Mon, 21 Mar 2016 18:14:58 +1100 X-Google-Sender-Auth: DDMk_PbbUmrvW4r7tA9Be0Z_HHc Message-ID: To: Daniel Beardsley Cc: Sara Golemon , PHP internals Content-Type: multipart/alternative; boundary=001a1141f20ebf5b4b052e89da45 Subject: Re: [PHP-DEV] RFC about automatic template escaping From: me@jesseschalken.com (Jesse Schalken) --001a1141f20ebf5b4b052e89da45 Content-Type: text/plain; charset=UTF-8 On Mon, Mar 21, 2016 at 4:53 PM, Daniel Beardsley wrote: > > This approach has the smell of magic quotes which we got rid of for > > very good reason. XHP is much more explicit in separating markup from > > data and relies far less (not at all when you do it right) on escape > > hatches. > > Huh, I don't see similarities to magic quotes at all. That had to do with > attempting to sanitize input data (plenty of problems with that). All > templating systems have a means of making the default output > mechanism perform escaping and a means of preventing that > escaping with, this adds the same for php templates. The similarity is that magic quotes assumed that the input data was going to be embedded within an SQL query without escaping, and therefore needed escaping. Of course that's an invalid assumption, the input data could be re-rendered, processed in some arbitrary way, written to a file, sent in an email, to another web service, etc etc. This feature makes a similar assumption about output, rather than input. Specifically, it assumes that the output is HTML, and what is being echoed hasn't already been escaped and therefore needs to be escaped. Of course that's an invalid assumption, command line scripts do echo/print of plain text, and I've seen PHP scripts generate JSON (eg a web service), JavaScript, CSS and plain text via the output buffer. Not to mention anything could so ob_start(); // ... echo $blah; // ... $foo = ob_get_clean(); or ob_start(); // ... ?>......