Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:91811 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 78404 invoked from network); 21 Mar 2016 07:39:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Mar 2016 07:39:50 -0000 Authentication-Results: pb1.pair.com smtp.mail=jesseschalken@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=jesseschalken@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.175 as permitted sender) X-PHP-List-Original-Sender: jesseschalken@gmail.com X-Host-Fingerprint: 209.85.223.175 mail-io0-f175.google.com Received: from [209.85.223.175] ([209.85.223.175:34269] helo=mail-io0-f175.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 57/A3-58932-545AFE65 for ; Mon, 21 Mar 2016 02:39:49 -0500 Received: by mail-io0-f175.google.com with SMTP id m184so201028561iof.1 for ; Mon, 21 Mar 2016 00:39:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=r2bWIP8kVN9RyfCBidSpehdJat7LfeEbzhjc5trWU5o=; b=RMtosWALXTC5V8/24XDuhRMHHmzUJ3bEE8t3LwPk6WZlEovPf9snJncdJ1I57WP4/E 7XFzqYmZtwB4s+2YxcOfKxUfLqG7ZvwTDENq0XI3KYr22vkBirQ2eGE/73CtF4//6Mk9 EBicaMMz5Oc1iZaHFqqkRDOzZ9s3gwcqlKqZcxVGPZ3JdEbubwXK66YfRQni+f+VIuH5 IViHeU7ILMuXoCoJc+jUW46QfGrmrjA+DLLkn08DGJxBQakB/Ooy71vBy5BnIJKjK1kG gWy9Ck9miU+24On2+as0537whYqizDlRwAV2jg0zJZDzVbSKEr1Vy50dk3GYYWDHJMDL mrsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=r2bWIP8kVN9RyfCBidSpehdJat7LfeEbzhjc5trWU5o=; b=OrGONmyzvpLWsuKn8hiQkrsI1wkYwrkwbE0atVlLHTuRBGLmS/pHikrMpr2MLl94v/ 4W7FG2J+B6PiLgG58sIhQ/hZSuwMvmsiGpakvMkpSsjt+rwIfNOhuNo1ie4Ac3Q+Vmif 7WCbpmHHFye7GEkjwWBcLy1kO/uYbjyLvW6ueOFfHIAps9LCBlWIULrS89VSG6h4xoOP ggxGR4VtoHlr7oMttFTgqYmDNVCeK0zf+asTU5MvT6dsIn6evQTqenCIIetQnlMYXn0u +3cyskRA9xqb5fXR8q3H9V+ckkrJtLq/rzdb0XqIYaDVPZ2qlpzA2eSEKuSgqG/90Zs9 9AWA== X-Gm-Message-State: AD7BkJLtt9aXRBrnFBeCFv93He33zElEjbHgaxvJ4nZF2KJvfVwTbVGs2LRkRGXO2MXhPBPYNuJd2MVoQAMZvw== MIME-Version: 1.0 X-Received: by 10.107.128.104 with SMTP id b101mr26273763iod.31.1458545986191; Mon, 21 Mar 2016 00:39:46 -0700 (PDT) Sender: jesseschalken@gmail.com Received: by 10.79.100.199 with HTTP; Mon, 21 Mar 2016 00:39:46 -0700 (PDT) In-Reply-To: References: Date: Mon, 21 Mar 2016 18:39:46 +1100 X-Google-Sender-Auth: emN0cS_EJToq-FVmnSRpxkcwZX0 Message-ID: To: Daniel Beardsley Cc: Sara Golemon , PHP internals Content-Type: multipart/alternative; boundary=001a113deb7c654844052e8a3325 Subject: Re: [PHP-DEV] RFC about automatic template escaping From: me@jesseschalken.com (Jesse Schalken) --001a113deb7c654844052e8a3325 Content-Type: text/plain; charset=UTF-8 I think having the behaviour of language features depend in an incompatible way on a global runtime setting is a bad idea because it creates nonlocal effects and means code cannot be realiably composed. Effectively, every function and method will have an implicit assumption about whether or not it is supposed to be called "during templating" i.e. with __auto_escape set to 0 or 1. If you are *very* careful to separate your "templating" code from the rest of your code and not to call either from the other, I guess it would work, but it creates a burden on the programmers I'd rather them not have. Without this setting, I know I always need to do . Easy. But now to figure out whether I need to escape my HTML or not I have traverse the call graph to try to figure out what the value of __auto_escape is going to be at *runtime*. Eugh. On Mon, Mar 21, 2016 at 6:28 PM, Daniel Beardsley wrote: > > The similarity is that magic quotes assumed that the input data was > going to > > be embedded within an SQL query without escaping, and therefore needed > > escaping. Of course that's an invalid assumption, the input data could be > > re-rendered, processed in some arbitrary way, written to a file, sent in > an > > email, to another web service, etc etc. > > > > This feature makes a similar assumption about output, rather than input. > > Specifically, it assumes that the output is HTML, and what is being > echoed > > hasn't already been escaped and therefore needs to be escaped. > > True, but the difference is that safety is the default instead of > the exception. Every system has an assumption. It's better that > mistakes about escaping cause double-escaped html than > an XSS hole. > > > that's an invalid assumption, command line scripts do echo/print of plain > > text, and I've seen PHP scripts generate JSON (eg a web service), > > JavaScript, CSS and plain text via the output buffer. Not to mention > > anything could so > > I'm sorry, I wasn't clear in the RFC. This feature is meant to only be > turned on during template rendering (imagine you have a Template > class): > > function render() { > set_ini('__auto_escape', 1); > require $this->templatePath; > set_ini('__auto_escape', 0); > } > --001a113deb7c654844052e8a3325--