Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:91812
Return-Path: <daniel@ifixit.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 83438 invoked from network); 21 Mar 2016 08:41:32 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Mar 2016 08:41:32 -0000
Authentication-Results: pb1.pair.com smtp.mail=daniel@ifixit.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=daniel@ifixit.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ifixit.com designates 173.203.6.131 as permitted sender)
X-PHP-List-Original-Sender: daniel@ifixit.com
X-Host-Fingerprint: 173.203.6.131 smtp131.ord.emailsrvr.com Linux 2.6
Received: from [173.203.6.131] ([173.203.6.131:53959] helo=smtp131.ord.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EF/44-58932-BB3BFE65 for <internals@lists.php.net>; Mon, 21 Mar 2016 03:41:31 -0500
Received: from smtp17.relay.ord1a.emailsrvr.com (localhost.localdomain [127.0.0.1])
	by smtp17.relay.ord1a.emailsrvr.com (SMTP Server) with ESMTP id 9B1A22800D8
	for <internals@lists.php.net>; Mon, 21 Mar 2016 04:41:28 -0400 (EDT)
X-Auth-ID: daniel@ifixit.com
Received: by smtp17.relay.ord1a.emailsrvr.com (Authenticated sender: daniel-AT-ifixit.com) with ESMTPSA id 46A782800CE
	for <internals@lists.php.net>; Mon, 21 Mar 2016 04:41:28 -0400 (EDT)
X-Sender-Id: daniel@ifixit.com
Received: from mail-lb0-f175.google.com (mail-lb0-f175.google.com [209.85.217.175])
	(using TLSv1.2 with cipher AES128-GCM-SHA256)
	by 0.0.0.0:587 (trex/5.5.4);
	Mon, 21 Mar 2016 04:41:28 -0400
Received: by mail-lb0-f175.google.com with SMTP id qe11so67714360lbc.3
        for <internals@lists.php.net>; Mon, 21 Mar 2016 01:41:28 -0700 (PDT)
X-Gm-Message-State: AD7BkJIzWDyJ/k3c3u7ZdjOo24ajGlVUs6DJHGhc83qA47yuXK6kl43z2byISWNmG9s7UdgGNfsbEYuQHyU6+g==
X-Received: by 10.112.130.41 with SMTP id ob9mr10122608lbb.81.1458549686692;
 Mon, 21 Mar 2016 01:41:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.16.201 with HTTP; Mon, 21 Mar 2016 01:41:07 -0700 (PDT)
In-Reply-To: <CAF1yvAQ5oGEhyF1tv_XuRbukEoqYKZPhQjNT1W3aR_-Ldt_ruA@mail.gmail.com>
References: <CACNm7o9-6z0rxAAxnWyUFhYU+YD-QnecWrJF-PQ=z+a9qNQ=EA@mail.gmail.com>
 <CAESVnVprfe-0n7kq5JdoW3jVsb1jLZ+MSenQbZZJKjAXJh6NDA@mail.gmail.com>
 <CACNm7o8ahmP0GdiZmd_BPVa1jvA_bZz4oVY-krMgcq_P6LpzGg@mail.gmail.com>
 <CAF1yvAS3Oh_vp37q0xbQ-E-ZPfLn0c2EAEDjihqOtuq-HgZ5AQ@mail.gmail.com>
 <CACNm7o-_XFF57AR7R2J-rGfRn_jn9ott=8YLq1TkwcM1OrK4HQ@mail.gmail.com> <CAF1yvAQ5oGEhyF1tv_XuRbukEoqYKZPhQjNT1W3aR_-Ldt_ruA@mail.gmail.com>
Date: Mon, 21 Mar 2016 01:41:07 -0700
X-Gmail-Original-Message-ID: <CACNm7o-hRJxUgCpFqkRmHos8fH=G-sBQt-8Q76v3FL7+qy_3Dg@mail.gmail.com>
Message-ID: <CACNm7o-hRJxUgCpFqkRmHos8fH=G-sBQt-8Q76v3FL7+qy_3Dg@mail.gmail.com>
To: Jesse Schalken <me@jesseschalken.com>
Cc: Sara Golemon <pollita@php.net>, PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] RFC about automatic template escaping
From: daniel@ifixit.com (Daniel Beardsley)

> I think having the behaviour of language features depend in an incompatible
> way on a global runtime setting is a bad idea because it creates nonlocal
> effects and means code cannot be realiably composed.

This is probably the best argument against this RFC. Though how often
that issue would come up... I have no idea. It hasn't yet in our usage
(2 years) but we don't use that many external libraries during template
rendering, at least none that have used their own templating.

A potential solution is to create a new syntax like: <?E= or something
but that of course has even more challenges and backward
incompatability, unless it's done in an extension.. hmm. You would then
have to prevent usage of <?= in templates with a pre-commit hook
or add the check to your CI build.

> Effectively, every
> function and method will have an implicit assumption about whether or not it
> is supposed to be called "during templating" i.e. with __auto_escape set to
> 0 or 1. If you are very careful to separate your "templating" code from the
> rest of your code and not to call either from the other, I guess it would
> work, but it creates a burden on the programmers I'd rather them not have.

I think I fail to see the burden. You write code as normal, it's always safe
to <?= $anything ?> so no thought required there.
When some template helper function generates html,
it must tag it as such upon returning: return html($someHtmlStr)

Perhaps I've never never had the need to use php's templating
features to generate something other than HTML during our
HTML template rendering phase.

> Without this setting, I know I always need to do <?= to_html( $text ) ?>.
> Easy.

Sure, but that's a lot of ugly syntax and you'd have to enforce usage of
that function with a regex in a pre-commit hook or a CI build to prevent
dangerous mistakes.

> But now to figure out whether I need to escape my HTML or not I have
> traverse the call graph to try to figure out what the value of __auto_escape
> is going to be at runtime. Eugh.

Huh? I think I'm missing something, or my description wasn't clear enough.
The point of *auto* is that you don't need to escape anything.
Templates shouldn't need to include new HtmlString()
nor htmlspecialchars(). Functions that generate html simply return an
HtmlString object. The template will pass them straight through.
Our methodology has been to mark content as HTML at the source
(when it is generated, in small bits) and the downstream (the templates)
don't have to care and can safely echo anything.