Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94109
Return-Path: <rasmus@mindplay.dk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 59920 invoked from network); 18 Jun 2016 15:44:30 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Jun 2016 15:44:30 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@mindplay.dk; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=rasmus@mindplay.dk; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain mindplay.dk from 209.85.213.53 cause and error)
X-PHP-List-Original-Sender: rasmus@mindplay.dk
X-Host-Fingerprint: 209.85.213.53 mail-vk0-f53.google.com  
Received: from [209.85.213.53] ([209.85.213.53:34664] helo=mail-vk0-f53.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 78/84-18862-C5C65675 for <internals@lists.php.net>; Sat, 18 Jun 2016 11:44:29 -0400
Received: by mail-vk0-f53.google.com with SMTP id t129so150379294vka.1
        for <internals@lists.php.net>; Sat, 18 Jun 2016 08:44:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mindplay-dk.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=DXkcs+whpFf2a/TLLFktGzGRBJmPd8w5LrYeqy3f2Uk=;
        b=LXP6FJyCEtipVohydxgCi5tzL4++ECvY7oF4w3YIIkx86INR25K9jbTcJA1JLvPxus
         TBk97a+iWcYMs/5k7R648i/HdzWyGQFBOG9dLByuo6ZnJBjFpPpg3Du6WvNAqTKvgKE7
         dQZnVzIAa+7ToaYKISqh22frxBQi9ub2D6n/BLJd/B71lVSSCkaWQyV48IbM+4Asp5EL
         75Q8kAWJOnKh9dE/VofYy+0Jpy4wm72nVIb7MQ+fSXuxRnJxasZ5qBB43WAlDcbBAAjM
         M/HWTEsjLdF6D+wAbb5W5i6O/CMFSSlOWvJLHIqHXCVO2sVWkLqIOyvEPGcVmQFFY1bu
         E0cQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=DXkcs+whpFf2a/TLLFktGzGRBJmPd8w5LrYeqy3f2Uk=;
        b=Pyq3Rfqq7PqfC2JWN89Bw1h7xJZQeZEcIQi2yBCcmaQ4DmNAMUoQ3IopioO5biICQp
         YdaXXj1AgOg7TITPkG+MZi8fjeWl6L2mgen12NyjVyGYF8okXhnpL8oBWHd88CtSv2MP
         neusoJ2tRkHHxKXMaRu3v00br6SF9aFlyCGjhBIhQyEMxO8NicFLdlWI5WCe8ngQJCMA
         1NXNUR56I5lMEB+ORAUdg3JO14rp39IFIzfjXJkvSuJvlcgQE5vHt72gu7Kyt7J3FshX
         +MJO5fhCgHRV4uqyiz/cHIgXNhDHFUCx1MVOUXz9Zdr7Fb6q1TSYzAG/vRqiznJQA+A6
         8VCA==
X-Gm-Message-State: ALyK8tL3bKD35BFdLALmI4bwa/MQnlcVP8FjDMRAIo5th8JO0ccvDkAjF0E2sdlRNr/KNGpHcFMK3QrO1tpXWQ==
X-Received: by 10.159.36.65 with SMTP id 59mr3128948uaq.71.1466264665483; Sat,
 18 Jun 2016 08:44:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.88.148 with HTTP; Sat, 18 Jun 2016 08:44:24 -0700 (PDT)
In-Reply-To: <CAObuZdvZoACWE1bxz2PUMW+yXHxyEtXuYpPXL=6dEqrsakSNBQ@mail.gmail.com>
References: <CAEDdnaX_KbaZB=3WzFAp73E0dCxx5zuoqMbPbakMUGpHyRPJFg@mail.gmail.com>
 <b9318b90-f850-12a2-459d-8995220922df@gmail.com> <20160617202344.2868F1A80C02@dd1730.kasserver.com>
 <CAObuZdvZoACWE1bxz2PUMW+yXHxyEtXuYpPXL=6dEqrsakSNBQ@mail.gmail.com>
Date: Sat, 18 Jun 2016 17:44:24 +0200
Message-ID: <CADqTB_ijxN_ZVcAdLrpnejtYNO2x6Z1Q4PcnARCRE+etDuhF3w@mail.gmail.com>
To: Ryan Pallas <derokorian@gmail.com>
Cc: Thomas Bley <mails@thomasbley.de>, michael.vostrikov@gmail.com, 
	"internals@lists.php.net" <internals@lists.php.net>, Stanislav Malyshev <smalyshev@gmail.com>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] New escaped output operator
From: rasmus@mindplay.dk (Rasmus Schultz)

> Add a couple parens and its completely implementable in userland

If we could autoload functions, I bet that's what everyone would be doing.

At the moment, no one is able to commit to that pattern, because it
doesn't scale - you can't just keep adding to a list of global
functions (and files) that get aggressively loaded whenever you render
a view, even if each view uses only one or two of them...

So in practice, you minimally end up with something like this:

<?php use My\Stuff\EscapeFunctions as e; ?>
<?=e::html($str) ?>
<?=e::attr($str) ?>
<?=e::text($str) ?>
...

But that isn't really practical either, since you can only cram so
many functions into the same class - at which point you start adding
more classes...

<?php use My\Stuff\EscapeFunctions as e; ?>
<?php use My\Stuff\OtherFunctions as o; ?>
<?=e::html($str) ?>
<?=o::stuff(...) ?>

It quickly gets ugly, messy and confusing.

Then I start thinking about crazy solutions like tokenizing the
template file first and dynamically adding require_once statements for
any functions discovered being used, which would be more convenient,
but quite overly complex for such a small problem - and we're still
talking about occupying the global namespace with lots of functions.

And so you likely end up accepting that it's ugly and inconvenient,
and you resign yourself to use-statements and static methods, or
fully-static classes, which I've taken to referring to as
"psuedo-namespaces", since we're really abusing classes as a kind of
namespace for functions, just so we can get them to autoload.

Functions just aren't all that convenient or useful in PHP, because
they largely depend on manual use of require_once, which feels really
ugly and old-fashioned (since everything else autoloads like it's
supposed to) - and it isn't even always possible, since, for example,
you can't (reliably) know where a Composer package is located relative
to your project or package; it depends on whether your project is
currently the root package (e.g. under test) or an installed package
in the vendor-folder.

I really like pure functions - they're neat, simple and predictable.
In Javascript (and other languages) I always use functions first and
resort to classes only when there's a real clear benefit. In PHP, I
feel like I'm almost always forced into using classes for everything,
mainly because that's what works best in PHP and creates the least
rub.

This has been bothering me for many years - and I wish that I could
propose a solution, but I really don't have any ideas.

Can we do something to improve and encourage the use of functions in PHP?


On Sat, Jun 18, 2016 at 12:27 AM, Ryan Pallas <derokorian@gmail.com> wrote:
> On Fri, Jun 17, 2016 at 2:23 PM, Thomas Bley <mails@thomasbley.de> wrote:
>
>> you can simply add the context to the current output operator:
>> <?=html($str) ?>
>> <?=attr($str) ?>
>> <?=text($str) ?> (=strip_tags)
>> <?=js($str) ?>
>> <?=css($str) ?>
>>
>
> Look at that. Add a couple parens and its completely implementable in
> userland now with no language changes required.
>
>
>> Regards
>> Thomas
>>
>> Stanislav Malyshev wrote on 17.06.2016 22:14:
>>
>> > Hi!
>> >
>> >> Most of output code is an output of properties of database entities, and
>> >> only in some cases it's needed to concatenate HTML into string and then
>> >> print it with unescaped output. Escaped output operator can be useful.
>> Also
>> >> we output data not into the void and not into simple text file, but into
>> >> HTML-document which has a certain format (markup). Also this is logical
>> -
>> >> to have both forms, escaped and unescaped.
>> >
>> > This has been discussed on the list a number of times. Main issue with
>> > this kind of proposals is that escaping is context-dependent. E.g.
>> > htmlspecialchars() would not help you in many scenarios - e.g. it won't
>> > protect you from XSS if you ever place user-controlled data in HTML
>> > attributes. Having operator for each of the possible contexts does not
>> > really looks feasible, and having it for only one of them and not the
>> > others would be misleading people into thinking this operator is generic
>> > and can be used in all contexts safely.
>> >
>> > --
>> > Stas Malyshev
>> > smalyshev@gmail.com
>> >
>> > --
>> > PHP Internals - PHP Runtime Development Mailing List
>> > To unsubscribe, visit: http://www.php.net/unsub.php
>> >
>>
>>
>> --
>> PHP Internals - PHP Runtime Development Mailing List
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>