Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:91812 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 83438 invoked from network); 21 Mar 2016 08:41:32 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Mar 2016 08:41:32 -0000 Authentication-Results: pb1.pair.com smtp.mail=daniel@ifixit.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=daniel@ifixit.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ifixit.com designates 173.203.6.131 as permitted sender) X-PHP-List-Original-Sender: daniel@ifixit.com X-Host-Fingerprint: 173.203.6.131 smtp131.ord.emailsrvr.com Linux 2.6 Received: from [173.203.6.131] ([173.203.6.131:53959] helo=smtp131.ord.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id EF/44-58932-BB3BFE65 for ; Mon, 21 Mar 2016 03:41:31 -0500 Received: from smtp17.relay.ord1a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp17.relay.ord1a.emailsrvr.com (SMTP Server) with ESMTP id 9B1A22800D8 for ; Mon, 21 Mar 2016 04:41:28 -0400 (EDT) X-Auth-ID: daniel@ifixit.com Received: by smtp17.relay.ord1a.emailsrvr.com (Authenticated sender: daniel-AT-ifixit.com) with ESMTPSA id 46A782800CE for ; Mon, 21 Mar 2016 04:41:28 -0400 (EDT) X-Sender-Id: daniel@ifixit.com Received: from mail-lb0-f175.google.com (mail-lb0-f175.google.com [209.85.217.175]) (using TLSv1.2 with cipher AES128-GCM-SHA256) by 0.0.0.0:587 (trex/5.5.4); Mon, 21 Mar 2016 04:41:28 -0400 Received: by mail-lb0-f175.google.com with SMTP id qe11so67714360lbc.3 for ; Mon, 21 Mar 2016 01:41:28 -0700 (PDT) X-Gm-Message-State: AD7BkJIzWDyJ/k3c3u7ZdjOo24ajGlVUs6DJHGhc83qA47yuXK6kl43z2byISWNmG9s7UdgGNfsbEYuQHyU6+g== X-Received: by 10.112.130.41 with SMTP id ob9mr10122608lbb.81.1458549686692; Mon, 21 Mar 2016 01:41:26 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.16.201 with HTTP; Mon, 21 Mar 2016 01:41:07 -0700 (PDT) In-Reply-To: References: Date: Mon, 21 Mar 2016 01:41:07 -0700 X-Gmail-Original-Message-ID: Message-ID: To: Jesse Schalken Cc: Sara Golemon , PHP internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] RFC about automatic template escaping From: daniel@ifixit.com (Daniel Beardsley) > I think having the behaviour of language features depend in an incompatible > way on a global runtime setting is a bad idea because it creates nonlocal > effects and means code cannot be realiably composed. This is probably the best argument against this RFC. Though how often that issue would come up... I have no idea. It hasn't yet in our usage (2 years) but we don't use that many external libraries during template rendering, at least none that have used their own templating. A potential solution is to create a new syntax like: Effectively, every > function and method will have an implicit assumption about whether or not it > is supposed to be called "during templating" i.e. with __auto_escape set to > 0 or 1. If you are very careful to separate your "templating" code from the > rest of your code and not to call either from the other, I guess it would > work, but it creates a burden on the programmers I'd rather them not have. I think I fail to see the burden. You write code as normal, it's always safe to so no thought required there. When some template helper function generates html, it must tag it as such upon returning: return html($someHtmlStr) Perhaps I've never never had the need to use php's templating features to generate something other than HTML during our HTML template rendering phase. > Without this setting, I know I always need to do . > Easy. Sure, but that's a lot of ugly syntax and you'd have to enforce usage of that function with a regex in a pre-commit hook or a CI build to prevent dangerous mistakes. > But now to figure out whether I need to escape my HTML or not I have > traverse the call graph to try to figure out what the value of __auto_escape > is going to be at runtime. Eugh. Huh? I think I'm missing something, or my description wasn't clear enough. The point of *auto* is that you don't need to escape anything. Templates shouldn't need to include new HtmlString() nor htmlspecialchars(). Functions that generate html simply return an HtmlString object. The template will pass them straight through. Our methodology has been to mark content as HTML at the source (when it is generated, in small bits) and the downstream (the templates) don't have to care and can safely echo anything.