Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:91810 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 76609 invoked from network); 21 Mar 2016 07:29:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Mar 2016 07:29:00 -0000 Authentication-Results: pb1.pair.com smtp.mail=daniel@ifixit.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=daniel@ifixit.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ifixit.com designates 173.203.6.147 as permitted sender) X-PHP-List-Original-Sender: daniel@ifixit.com X-Host-Fingerprint: 173.203.6.147 smtp147.ord.emailsrvr.com Linux 2.6 Received: from [173.203.6.147] ([173.203.6.147:44097] helo=smtp147.ord.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CD/43-58932-AB2AFE65 for ; Mon, 21 Mar 2016 02:28:59 -0500 Received: from smtp19.relay.ord1a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp19.relay.ord1a.emailsrvr.com (SMTP Server) with ESMTP id 1BBBB10016D for ; Mon, 21 Mar 2016 03:29:03 -0400 (EDT) X-Auth-ID: daniel@ifixit.com Received: by smtp19.relay.ord1a.emailsrvr.com (Authenticated sender: daniel-AT-ifixit.com) with ESMTPSA id BADAE10015C for ; Mon, 21 Mar 2016 03:29:02 -0400 (EDT) X-Sender-Id: daniel@ifixit.com Received: from mail-lb0-f176.google.com (mail-lb0-f176.google.com [209.85.217.176]) (using TLSv1.2 with cipher AES128-GCM-SHA256) by 0.0.0.0:587 (trex/5.5.4); Mon, 21 Mar 2016 03:28:56 -0400 Received: by mail-lb0-f176.google.com with SMTP id k12so121095080lbb.1 for ; Mon, 21 Mar 2016 00:28:55 -0700 (PDT) X-Gm-Message-State: AD7BkJIXA/BD6g61RQqG6yVtQSrDUb7AQwfXO0teTyYBonH+oY4vImcoXU7vPO8Q8YBI8BkXVvaXkuT/cn1M3Q== X-Received: by 10.112.133.68 with SMTP id pa4mr10077676lbb.83.1458545334228; Mon, 21 Mar 2016 00:28:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.16.201 with HTTP; Mon, 21 Mar 2016 00:28:34 -0700 (PDT) In-Reply-To: References: Date: Mon, 21 Mar 2016 00:28:34 -0700 X-Gmail-Original-Message-ID: Message-ID: To: Jesse Schalken Cc: Sara Golemon , PHP internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] RFC about automatic template escaping From: daniel@ifixit.com (Daniel Beardsley) > The similarity is that magic quotes assumed that the input data was going to > be embedded within an SQL query without escaping, and therefore needed > escaping. Of course that's an invalid assumption, the input data could be > re-rendered, processed in some arbitrary way, written to a file, sent in an > email, to another web service, etc etc. > > This feature makes a similar assumption about output, rather than input. > Specifically, it assumes that the output is HTML, and what is being echoed > hasn't already been escaped and therefore needs to be escaped. True, but the difference is that safety is the default instead of the exception. Every system has an assumption. It's better that mistakes about escaping cause double-escaped html than an XSS hole. > that's an invalid assumption, command line scripts do echo/print of plain > text, and I've seen PHP scripts generate JSON (eg a web service), > JavaScript, CSS and plain text via the output buffer. Not to mention > anything could so I'm sorry, I wasn't clear in the RFC. This feature is meant to only be turned on during template rendering (imagine you have a Template class): function render() { set_ini('__auto_escape', 1); require $this->templatePath; set_ini('__auto_escape', 0); }