Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:91962
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 92941 invoked from network); 27 Mar 2016 01:19:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Mar 2016 01:19:03 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.47 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.220.47 mail-pa0-f47.google.com  
Received: from [209.85.220.47] ([209.85.220.47:36451] helo=mail-pa0-f47.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 51/42-03797-60537F65 for <internals@lists.php.net>; Sat, 26 Mar 2016 20:19:02 -0500
Received: by mail-pa0-f47.google.com with SMTP id tt10so72065877pab.3
        for <internals@lists.php.net>; Sat, 26 Mar 2016 18:19:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:cc:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-transfer-encoding;
        bh=WGtIJBYE7NgH5k1NaO0spCDSKYCBPcAXbo+3WeP/9oI=;
        b=ZgAn7BDOCDTfBD6ifu0DChSfN5DGPZzbYAEmq/nL04Ji47iaWq9komuQTPtZuagGBQ
         fRkfKGuZDaGCxPhb2Zck+og7CP6uHYP6O01+DX9rjkhjl02dGpI+SksHDDbduSZFWy00
         LMD/P7d5WVKuT9uIqae7SUB4Hig0iKet0e9HZBCHcQ5yIS9ZSCF3EzE5f/nTUnq+rpiu
         lwRG9odjmYMx6x+7Tl6u3nrcgWCc5z85JOpb34f9vswiYUvSwuCvyjSbXHPEGDQJqDat
         IAXihNAGjNRm1xFNRzPHM+7+V8BZ9zr/4ny27R0NoMjOfF5ZDsMWm+87vnT4qfTAn7jd
         hTjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:cc:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=WGtIJBYE7NgH5k1NaO0spCDSKYCBPcAXbo+3WeP/9oI=;
        b=U4ZyHj4TVZfB7uO3Sl45UArnC2VijPiyX4NNRp4gSi5SXgHZzCLfCUrWZebJXkY9XI
         DmjlPOPShhOvBb1j6xVXwr+VVRl6j0c+LnDOofkV3nkBhmfmnihCEI4II8OooNsL6Fww
         KLaPdM5giR303kfFUZFWOo6gk1NtmZkc3rZ2SxVFPIPdDB2OgpfvZstbvplqsysCBJS6
         HDJXrO3ATau+ahTg+1Z4oiq/TYRUJ05TxsNJRMA4EsrMMgPov5wbMuv4PCcgN+9qeWXa
         s07nOrsLqd4ieCpWm5L0xTfjdEvakktKAQeL65gc7hIgf84USjiKSMhhT9Xb1OCJdDm7
         7W/A==
X-Gm-Message-State: AD7BkJImkxAKbin0WVqRxt52/op/mkLpXAtcVgUVmbuSQSXw37jXMzheTICRiC/ksA/Kdg==
X-Received: by 10.66.167.145 with SMTP id zo17mr31680857pab.73.1459041539936;
        Sat, 26 Mar 2016 18:18:59 -0700 (PDT)
Received: from Stas-Air.local ([2602:304:cdc2:e5f0:edf7:4db:6253:3d54])
        by smtp.gmail.com with ESMTPSA id m89sm25628784pfi.12.2016.03.26.18.18.58
        (version=TLSv1/SSLv3 cipher=OTHER);
        Sat, 26 Mar 2016 18:18:58 -0700 (PDT)
To: Daniel Beardsley <daniel@ifixit.com>,
 Jesse Schalken <me@jesseschalken.com>
References: <CACNm7o9-6z0rxAAxnWyUFhYU+YD-QnecWrJF-PQ=z+a9qNQ=EA@mail.gmail.com>
 <CAESVnVprfe-0n7kq5JdoW3jVsb1jLZ+MSenQbZZJKjAXJh6NDA@mail.gmail.com>
 <CACNm7o8ahmP0GdiZmd_BPVa1jvA_bZz4oVY-krMgcq_P6LpzGg@mail.gmail.com>
 <CAF1yvAS3Oh_vp37q0xbQ-E-ZPfLn0c2EAEDjihqOtuq-HgZ5AQ@mail.gmail.com>
 <CACNm7o-_XFF57AR7R2J-rGfRn_jn9ott=8YLq1TkwcM1OrK4HQ@mail.gmail.com>
Cc: Sara Golemon <pollita@php.net>, PHP internals <internals@lists.php.net>
Message-ID: <56F734FC.5000400@gmail.com>
Date: Sat, 26 Mar 2016 18:18:52 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0)
 Gecko/20100101 Thunderbird/38.7.1
MIME-Version: 1.0
In-Reply-To: <CACNm7o-_XFF57AR7R2J-rGfRn_jn9ott=8YLq1TkwcM1OrK4HQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] RFC about automatic template escaping
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> True, but the difference is that safety is the default instead of
> the exception. Every system has an assumption. It's better that

This sounds as the major assumption is there's some procedure ("the
safety") that allows to render any output safe. This could not be more
wrong. Escaping is highly context-dependent, and without knowing
specific details of the context it is impossible to do proper escaping.
I do not see how by setting one flag you could provide proper context.
Moreover, one template may include multiple contexts.

> I'm sorry, I wasn't clear in the RFC. This feature is meant to only be
> turned on during template rendering (imagine you have a Template
> class):

I think there's assumption here templates only exist in one context or
at least allow user data only in one context. This is not true, of
course. But if it were true, this code would be trivial to make safe:

> function render() {
>    set_ini('__auto_escape', 1);
>    require $this->templatePath;
>    set_ini('__auto_escape', 0);
> }

function render() {
   ob_start();
   require $this->templatePath;
   echo magic_security_filter(ob_get_clean());
}

-- 
Stas Malyshev
smalyshev@gmail.com