Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:91962 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 92941 invoked from network); 27 Mar 2016 01:19:03 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Mar 2016 01:19:03 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.47 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.220.47 mail-pa0-f47.google.com Received: from [209.85.220.47] ([209.85.220.47:36451] helo=mail-pa0-f47.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 51/42-03797-60537F65 for ; Sat, 26 Mar 2016 20:19:02 -0500 Received: by mail-pa0-f47.google.com with SMTP id tt10so72065877pab.3 for ; Sat, 26 Mar 2016 18:19:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=WGtIJBYE7NgH5k1NaO0spCDSKYCBPcAXbo+3WeP/9oI=; b=ZgAn7BDOCDTfBD6ifu0DChSfN5DGPZzbYAEmq/nL04Ji47iaWq9komuQTPtZuagGBQ fRkfKGuZDaGCxPhb2Zck+og7CP6uHYP6O01+DX9rjkhjl02dGpI+SksHDDbduSZFWy00 LMD/P7d5WVKuT9uIqae7SUB4Hig0iKet0e9HZBCHcQ5yIS9ZSCF3EzE5f/nTUnq+rpiu lwRG9odjmYMx6x+7Tl6u3nrcgWCc5z85JOpb34f9vswiYUvSwuCvyjSbXHPEGDQJqDat IAXihNAGjNRm1xFNRzPHM+7+V8BZ9zr/4ny27R0NoMjOfF5ZDsMWm+87vnT4qfTAn7jd hTjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=WGtIJBYE7NgH5k1NaO0spCDSKYCBPcAXbo+3WeP/9oI=; b=U4ZyHj4TVZfB7uO3Sl45UArnC2VijPiyX4NNRp4gSi5SXgHZzCLfCUrWZebJXkY9XI DmjlPOPShhOvBb1j6xVXwr+VVRl6j0c+LnDOofkV3nkBhmfmnihCEI4II8OooNsL6Fww KLaPdM5giR303kfFUZFWOo6gk1NtmZkc3rZ2SxVFPIPdDB2OgpfvZstbvplqsysCBJS6 HDJXrO3ATau+ahTg+1Z4oiq/TYRUJ05TxsNJRMA4EsrMMgPov5wbMuv4PCcgN+9qeWXa s07nOrsLqd4ieCpWm5L0xTfjdEvakktKAQeL65gc7hIgf84USjiKSMhhT9Xb1OCJdDm7 7W/A== X-Gm-Message-State: AD7BkJImkxAKbin0WVqRxt52/op/mkLpXAtcVgUVmbuSQSXw37jXMzheTICRiC/ksA/Kdg== X-Received: by 10.66.167.145 with SMTP id zo17mr31680857pab.73.1459041539936; Sat, 26 Mar 2016 18:18:59 -0700 (PDT) Received: from Stas-Air.local ([2602:304:cdc2:e5f0:edf7:4db:6253:3d54]) by smtp.gmail.com with ESMTPSA id m89sm25628784pfi.12.2016.03.26.18.18.58 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 26 Mar 2016 18:18:58 -0700 (PDT) To: Daniel Beardsley , Jesse Schalken References: Cc: Sara Golemon , PHP internals Message-ID: <56F734FC.5000400@gmail.com> Date: Sat, 26 Mar 2016 18:18:52 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] RFC about automatic template escaping From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > True, but the difference is that safety is the default instead of > the exception. Every system has an assumption. It's better that This sounds as the major assumption is there's some procedure ("the safety") that allows to render any output safe. This could not be more wrong. Escaping is highly context-dependent, and without knowing specific details of the context it is impossible to do proper escaping. I do not see how by setting one flag you could provide proper context. Moreover, one template may include multiple contexts. > I'm sorry, I wasn't clear in the RFC. This feature is meant to only be > turned on during template rendering (imagine you have a Template > class): I think there's assumption here templates only exist in one context or at least allow user data only in one context. This is not true, of course. But if it were true, this code would be trivial to make safe: > function render() { > set_ini('__auto_escape', 1); > require $this->templatePath; > set_ini('__auto_escape', 0); > } function render() { ob_start(); require $this->templatePath; echo magic_security_filter(ob_get_clean()); } -- Stas Malyshev smalyshev@gmail.com