Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:91839
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
To: internals@lists.php.net
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
References: <CACNm7o9-6z0rxAAxnWyUFhYU+YD-QnecWrJF-PQ=z+a9qNQ=EA@mail.gmail.com> <CAGa2bXbjNQXwVsFmGgFVUPCFV-t2Tye+xA3MDNpA_ydjvCQ3jA@mail.gmail.com> <CACNm7o9NNVFrgqeufBoDgyhE-eGQix6bZwq=XGVwsROSXVb5Ag@mail.gmail.com>
Date: Tue, 22 Mar 2016 13:24:46 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: Quoted-Printable
Message-ID: <op.yep7fksgzsg2np@hnb2>
User-Agent: Opera Mail/1.0 (Win32)
Subject: Re: [PHP-DEV] RFC about automatic template escaping
From: j.tvr@centrum.cz (=?utf-8?Q?Jan_Tvrd=C3=ADk?=)

On Mon, 21 Mar 2016 07:35:46 +0100, Daniel Beardsley <daniel@ifixit.com>=
  =

wrote:

>> Issue is "Escaping is done on a specific context".
>>
>> I understand your proposal is focused on HTML escaping. However,
>> setting names like
>> __auto_escape_exempt_class
>> is not good choice. It has to be
>> __auto_html_escape_exempt_class
>> at least because it is for HTML escaping.
>
> Yes, the ini settings have poor names and can totally be changed.
>
>> In addition, HTML consists of multiple contexts
>>
>>  - HTML context that requires HTML escape
>>  - URI context that requires URI escape
>>  - JavaScript context, embedded JavaScript strings for example , that=

>>    requires JavaScript string escape, etc.
>>    e.g. http://blog.ohgaki.net/javascript-string-escape (Sorry. It's
>>    my blog and written in Japanese.
>>    You may try translation service or you should be able to understan=
d
>>    PHP code at least)
>>  - CSS context that requires CSS escape.
>>    e.g. https://developer.mozilla.org/ja/docs/Web/API/CSS/escape
>>  - And so on
>
> You are right. Though not all those problems are serious:
> * HTML attributes:
>   Use ENT_QUOTES so that content is escaped well enough
>   for use in quoted attributes (still need quotes though)
> * URI escaping:
>   Does anyone really use <?=3D ?> or echo when generating a uri?
> * Javascript:
>   Good point, though I would say it's fairly rare to create javascript=

>   code using a php template with variables. The most we ever do
>   in our app is  <?=3D json_encode($someArray) ?>
> * Eveything else:
>   I think the better solution here is to simply let the user control  =

> this.
>   Provide an ini setting that allows a custom output function to be se=
t
>   so the user could control what happens to unsafe strings and what
>   the exemptions are. I'm considering doing this. This was html-only
>   at the beginning because we only created this for html templates
>   and were able to call the internal php functions directly, ginving
>   us nearly no performance penalty.
>
>>
>> Dealing HTML context only would be problematic even if it works for  =

>> many cases.
>>
>> Escaping must be done depends on context. Multiple contexts may apply=

>> also. HTML context only escaping would not work well.. Applying prope=
r
>> escapes to variables in HTML is very complex task..
>>
>> Regards,
>>
>> --
>> Yasuo Ohgaki
>> yohgaki@ohgaki.net


The escape context could be detected (e.g. Latte template engine support=
s  =

context-aware escaping for years =E2=80=93  =

https://latte.nette.org/en/#toc-context-aware-escaping) but the logic is=
  =

quite complex for it to be included in PHP core.

Also relying on ini setting is evil as it may break existing libraries. =
 =

You would need to introduce a different way to manage the setting, e.g. =
 =

introduce new language construct require_template which would turn this =
 =

behavior on for a single included file or new declare(template_mode=3D1)=
  =

which you would need to write at the beginning of each template.

Regards,
Jan Tvrdik