Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:91839 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 92507 invoked from network); 22 Mar 2016 12:30:14 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Mar 2016 12:30:14 -0000 Received: from [127.0.0.1] ([127.0.0.1:14689]) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ECSTREAM id A5/05-46740-5DA31F65 for ; Tue, 22 Mar 2016 07:30:13 -0500 X-Host-Fingerprint: 89.177.147.161 ip-89-177-147-161.net.upcbroadband.cz Received: from [89.177.147.161] ([89.177.147.161:10899] helo=localhost.localdomain) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 14/05-46740-89931F65 for ; Tue, 22 Mar 2016 07:24:57 -0500 To: internals@lists.php.net Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes References: Date: Tue, 22 Mar 2016 13:24:46 +0100 MIME-Version: 1.0 Content-Transfer-Encoding: Quoted-Printable Message-ID: User-Agent: Opera Mail/1.0 (Win32) X-Posted-By: 89.177.147.161 Subject: Re: [PHP-DEV] RFC about automatic template escaping From: j.tvr@centrum.cz (=?utf-8?Q?Jan_Tvrd=C3=ADk?=) On Mon, 21 Mar 2016 07:35:46 +0100, Daniel Beardsley = = wrote: >> Issue is "Escaping is done on a specific context". >> >> I understand your proposal is focused on HTML escaping. However, >> setting names like >> __auto_escape_exempt_class >> is not good choice. It has to be >> __auto_html_escape_exempt_class >> at least because it is for HTML escaping. > > Yes, the ini settings have poor names and can totally be changed. > >> In addition, HTML consists of multiple contexts >> >> - HTML context that requires HTML escape >> - URI context that requires URI escape >> - JavaScript context, embedded JavaScript strings for example , that= >> requires JavaScript string escape, etc. >> e.g. http://blog.ohgaki.net/javascript-string-escape (Sorry. It's >> my blog and written in Japanese. >> You may try translation service or you should be able to understan= d >> PHP code at least) >> - CSS context that requires CSS escape. >> e.g. https://developer.mozilla.org/ja/docs/Web/API/CSS/escape >> - And so on > > You are right. Though not all those problems are serious: > * HTML attributes: > Use ENT_QUOTES so that content is escaped well enough > for use in quoted attributes (still need quotes though) > * URI escaping: > Does anyone really use or echo when generating a uri? > * Javascript: > Good point, though I would say it's fairly rare to create javascript= > code using a php template with variables. The most we ever do > in our app is > * Eveything else: > I think the better solution here is to simply let the user control = > this. > Provide an ini setting that allows a custom output function to be se= t > so the user could control what happens to unsafe strings and what > the exemptions are. I'm considering doing this. This was html-only > at the beginning because we only created this for html templates > and were able to call the internal php functions directly, ginving > us nearly no performance penalty. > >> >> Dealing HTML context only would be problematic even if it works for = >> many cases. >> >> Escaping must be done depends on context. Multiple contexts may apply= >> also. HTML context only escaping would not work well.. Applying prope= r >> escapes to variables in HTML is very complex task.. >> >> Regards, >> >> -- >> Yasuo Ohgaki >> yohgaki@ohgaki.net The escape context could be detected (e.g. Latte template engine support= s = context-aware escaping for years =E2=80=93 = https://latte.nette.org/en/#toc-context-aware-escaping) but the logic is= = quite complex for it to be included in PHP core. Also relying on ini setting is evil as it may break existing libraries. = = You would need to introduce a different way to manage the setting, e.g. = = introduce new language construct require_template which would turn this = = behavior on for a single included file or new declare(template_mode=3D1)= = which you would need to write at the beginning of each template. Regards, Jan Tvrdik