Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94098
Return-Path: <derokorian@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6192 invoked from network); 17 Jun 2016 22:27:58 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Jun 2016 22:27:58 -0000
Authentication-Results: pb1.pair.com smtp.mail=derokorian@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=derokorian@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.50 as permitted sender)
X-PHP-List-Original-Sender: derokorian@gmail.com
X-Host-Fingerprint: 209.85.218.50 mail-oi0-f50.google.com  
Received: from [209.85.218.50] ([209.85.218.50:34567] helo=mail-oi0-f50.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E6/CE-18862-E6974675 for <internals@lists.php.net>; Fri, 17 Jun 2016 18:27:58 -0400
Received: by mail-oi0-f50.google.com with SMTP id d132so136961858oig.1
        for <internals@lists.php.net>; Fri, 17 Jun 2016 15:27:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=oisOguRnQ39dmRBc7zEuccbJQf9kqaXZQ8oFckfXty4=;
        b=vqd/nc1H0ER7r0aKn7mSB8bCx5MHmNK2Vjo9JussP/HSWj56ARqDOyeY4Ay/CReOmz
         Qo69YWqzQpmeVYr35vKOkSxmMWLqroJhU4/yIz2/gA9B1iDzSkFg3x9+0SVs45WL1EhN
         hYShJLMyn+DaPtZlihkiKzEIrogDwgexCHP7KSs/srwhtZIU+CAE1jYBA66wfQD4kW68
         9TWjiQ+pF0svYq9WAZAANZz7ZcmJ3isIPAznYdy34j7OB/xBM0JFjKfRdSekCkH8J32p
         t9q6yaov/PVNcTMiKHjqQunNZeak3HXeD1qwKIL2Gap7dsu/H08e4QPvhAb7KjPi12gu
         sC/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=oisOguRnQ39dmRBc7zEuccbJQf9kqaXZQ8oFckfXty4=;
        b=ejuq4C+xcSyfHlXY36/V/b7HBu9kz+5hCq6e/Emz9GAanaTyFL5Iq/2LNfFFlTG5AF
         nCXTbSOD7LlyQzdZ8RNywErP9tGmXw4qDIWa21YPyPBGa5HREIo2YDEiT+0XvzkMVok4
         iVqq217NdkHP2c/4Mh6WovOWqQueYIxZHiFvnXRsNwHQ5+RqZFThukXVrlO4+vKVoJ4D
         fIDQOtC8btHiu7tdEq4uX2ZucUZb37HsnetfOqewQEMjoAlEgbj4HPmSFaJiD+CuvLL8
         NZOCB3He5ToOqpQPeOrmT+Uc0kR3J0lSghOSn0ajvhIw8OoFQUTMvJ8r51qqJeN6f25M
         6CzA==
X-Gm-Message-State: ALyK8tIeGRMek1Py8zJtV6ZxJkEHie3HKEGmk5iXEbReRyfLYha8Fu9PVKr3esxcY8YdsLV7VjwkEtcFrwlwDg==
X-Received: by 10.202.71.196 with SMTP id u187mr2833143oia.199.1466202474704;
 Fri, 17 Jun 2016 15:27:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.61.54 with HTTP; Fri, 17 Jun 2016 15:27:54 -0700 (PDT)
In-Reply-To: <20160617202344.2868F1A80C02@dd1730.kasserver.com>
References: <CAEDdnaX_KbaZB=3WzFAp73E0dCxx5zuoqMbPbakMUGpHyRPJFg@mail.gmail.com>
 <b9318b90-f850-12a2-459d-8995220922df@gmail.com> <20160617202344.2868F1A80C02@dd1730.kasserver.com>
Date: Fri, 17 Jun 2016 16:27:54 -0600
Message-ID: <CAObuZdvZoACWE1bxz2PUMW+yXHxyEtXuYpPXL=6dEqrsakSNBQ@mail.gmail.com>
To: Thomas Bley <mails@thomasbley.de>
Cc: michael.vostrikov@gmail.com, 
	"internals@lists.php.net" <internals@lists.php.net>, Stanislav Malyshev <smalyshev@gmail.com>
Content-Type: multipart/alternative; boundary=001a113e59f2ac77fe053580dd14
Subject: Re: [PHP-DEV] New escaped output operator
From: derokorian@gmail.com (Ryan Pallas)

--001a113e59f2ac77fe053580dd14
Content-Type: text/plain; charset=UTF-8

On Fri, Jun 17, 2016 at 2:23 PM, Thomas Bley <mails@thomasbley.de> wrote:

> you can simply add the context to the current output operator:
> <?=html($str) ?>
> <?=attr($str) ?>
> <?=text($str) ?> (=strip_tags)
> <?=js($str) ?>
> <?=css($str) ?>
>

Look at that. Add a couple parens and its completely implementable in
userland now with no language changes required.


> Regards
> Thomas
>
> Stanislav Malyshev wrote on 17.06.2016 22:14:
>
> > Hi!
> >
> >> Most of output code is an output of properties of database entities, and
> >> only in some cases it's needed to concatenate HTML into string and then
> >> print it with unescaped output. Escaped output operator can be useful.
> Also
> >> we output data not into the void and not into simple text file, but into
> >> HTML-document which has a certain format (markup). Also this is logical
> -
> >> to have both forms, escaped and unescaped.
> >
> > This has been discussed on the list a number of times. Main issue with
> > this kind of proposals is that escaping is context-dependent. E.g.
> > htmlspecialchars() would not help you in many scenarios - e.g. it won't
> > protect you from XSS if you ever place user-controlled data in HTML
> > attributes. Having operator for each of the possible contexts does not
> > really looks feasible, and having it for only one of them and not the
> > others would be misleading people into thinking this operator is generic
> > and can be used in all contexts safely.
> >
> > --
> > Stas Malyshev
> > smalyshev@gmail.com
> >
> > --
> > PHP Internals - PHP Runtime Development Mailing List
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--001a113e59f2ac77fe053580dd14--