Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:91815 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 98846 invoked from network); 21 Mar 2016 12:42:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Mar 2016 12:42:07 -0000 Authentication-Results: pb1.pair.com header.from=t.carnage@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=t.carnage@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.49 as permitted sender) X-PHP-List-Original-Sender: t.carnage@gmail.com X-Host-Fingerprint: 209.85.215.49 mail-lf0-f49.google.com Received: from [209.85.215.49] ([209.85.215.49:33143] helo=mail-lf0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E2/21-25142-E1CEFE65 for ; Mon, 21 Mar 2016 07:42:07 -0500 Received: by mail-lf0-f49.google.com with SMTP id h198so107038191lfh.0 for ; Mon, 21 Mar 2016 05:42:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=c600HROcgXNosAFxisPe8x2wgbrGnnFC1sBKElmEeWk=; b=vOs524EzMi988OYfj5r7ku0+9NxyryIfTUSwwAIWWIftxqQTc9rGzsyPakcc/IwKDl QrPU+Ew6zfCnN3yxBM4M7YbZAM/dFaU619eKnUlHpP8xb/0E6JP369M6CkxNk70x60RA aUPmy5npB/cFHKQ3Gj7eumisi1+BqfA4mqoM4wx51NaIJaMXYjD/MQ/dKLs59rUvY1wS OhsE6OfbnkYA6r0rtVuresSztWJ5OOxIYthLZAXOKrrkfiuVP67SPCwmKSRUaQ5hl/dt wsk5ySAujpWbLmFS7HNE5S/Aj3ZolOp0YxVBEZnfPKaMnoE8SIa4mnpq8eQ4e8RS7ROj fdMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=c600HROcgXNosAFxisPe8x2wgbrGnnFC1sBKElmEeWk=; b=iVrrqCv5uMHzYc08iB6s4+igOHqjslt3GBfFw9M4Wlb3tNfKQw2ASiCSbwFMj7mye+ yz91gVWsIBY3r9+shVjRtyvKPBsSW9T3U7aR9q7NyfpmOiuVVEUdMBBMnt3ibY5j1SWK WALMQTUNEfW1FcDtGjgpIw9I71RTfwXgVLyE7NoxHu1k4ZQewHEGm1jZ7Xuf4YjRfH2B alaeSGnf8BbFKDlrYYstUK50idRddE2TLEWl/7K2jmCpopNB+ICBTjnORTMdr7XSICSr SaCIC07SmotFmLsCNXBxSz0UW+QmB6HX0RFbooKfpoNZ0eskf3var0LFEDN9qivsyUV4 ml+A== X-Gm-Message-State: AD7BkJJOXhy2gv53l9h+GNgrcIeqpywGftE9mftKQ5PeIJf6aIVL6d9bg81GyPKxvIbbM1Cv/2T/M6AvSTJxmg== MIME-Version: 1.0 X-Received: by 10.25.19.37 with SMTP id j37mr8872658lfi.115.1458564123896; Mon, 21 Mar 2016 05:42:03 -0700 (PDT) Received: by 10.112.0.200 with HTTP; Mon, 21 Mar 2016 05:42:03 -0700 (PDT) In-Reply-To: <56EFE897.3070804@gmail.com> References: <56EFE897.3070804@gmail.com> Date: Mon, 21 Mar 2016 12:42:03 +0000 Message-ID: To: Rowan Collins Cc: PHP internals Content-Type: multipart/alternative; boundary=001a113f25607cb293052e8e6cfa Subject: Re: [PHP-DEV] RFC about automatic template escaping From: t.carnage@gmail.com (Chris Riley) --001a113f25607cb293052e8e6cfa Content-Type: text/plain; charset=UTF-8 Honestly, as it stands this is a pretty terrible idea. 1. It has a huge potential for introducing BC breaks. - I have some code somewhere which uses output buffering and echo to write cached copies of html pages to disk. This would break that. - Writing out html like structures when running as a cli shouldn't be affected; but it probably would be. - Several systems store html templates in a database and echo them. Possible breaking change here 2. Relying on an ini setting for security is a bad idea: we did that with magic quotes and look how that turned out. 3. Ini setting changes at runtime cannot be relied upon. (Think shared hosting providers who might switch this on(or off) globally and deny changes to it at runtime) 4. Already mentioned but there is more to escaping than just HTML If you decide to pursue this further try using declare(this_is_a_template=true) at the top of each template file to enable this badhaviour instead of an ini setting. This then applies on a per file basis and side steps numerous issues. --001a113f25607cb293052e8e6cfa--