Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94112
Return-Path: <ocramius@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 99625 invoked from network); 19 Jun 2016 07:59:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Jun 2016 07:59:44 -0000
Authentication-Results: pb1.pair.com header.from=ocramius@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ocramius@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.46 as permitted sender)
X-PHP-List-Original-Sender: ocramius@gmail.com
X-Host-Fingerprint: 74.125.82.46 mail-wm0-f46.google.com  
Received: from [74.125.82.46] ([74.125.82.46:34984] helo=mail-wm0-f46.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9E/97-18862-DE056675 for <internals@lists.php.net>; Sun, 19 Jun 2016 03:59:42 -0400
Received: by mail-wm0-f46.google.com with SMTP id v199so33931505wmv.0
        for <internals@lists.php.net>; Sun, 19 Jun 2016 00:59:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=nvKjVUD0luBCgx00NV20MKA8IrdlXnJAA+zsXUU2OA8=;
        b=0lEJATxM2PBE05syZBm9P7J/idOPM0vRY7E9UChCn3dRJ/EGF9zB7WWhOYee71SdFf
         uHxPN6Vinp4ti9dtS+7bHEbmTbfFS95GMdWEF3R8SU6vbA34w/o0bMuTHNK5TITofsyR
         AIudST4IUVirHhUO6naVBg0sH7RSmGB3ZgK46ZM5SIvH3f1mYumvPe2ZsgEzO/yTbsAz
         /8qTwxtnXCPH+7SHtp1sv5/bTJKdyHHQPi34tWV2+UDap5/h/548975Br8h3nLgN96ru
         wd/Jh0+sJcDmHWPjx5DojIGtzNiKSHzRhbn7p8BBYrS3ZNECDf2tYLS/dC5v3RDgjUAi
         A1Lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=nvKjVUD0luBCgx00NV20MKA8IrdlXnJAA+zsXUU2OA8=;
        b=FFll71MEkrUabcB4wrSF8w/ZYIlElNbwtVnxB+35XQLJ4GFc/4Q44pvOzLeG/++UWo
         46iWlCq9A22lnBQEor1lj9R4Ydo1D6RXxmTvbPWRgueo+qcaWl/NGX1MjhnsZlZ33eTI
         SWkeXT4h4dcj+EfAYvkd2yY0g0TAzO3OS8db5dZD9fQT+DYZW12zVt32U+hol6EFF+x0
         kRbtOJsmQZTiCcd0iDP+cZfIUwbjCYmzmIVUozGiY7NZQYJA1i84p3tsz16UnBSZlSAw
         C58NrStB4FKBVuzYS1AHz2k7vxpYoF7y7P1TtP3T9ImKIo739CNd5i1dd/6MW15DYu4y
         EW6A==
X-Gm-Message-State: ALyK8tIDfDgNlK+3olnyk/2J4h+0PyNAm1gxqKW38UQm9xYpj6BiZ3nXH9N/veIhdkEvFgyJSZupjfou1Ar+eA==
X-Received: by 10.194.151.73 with SMTP id uo9mr8922161wjb.177.1466323178404;
 Sun, 19 Jun 2016 00:59:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.163.106 with HTTP; Sun, 19 Jun 2016 00:59:18 -0700 (PDT)
In-Reply-To: <CANUQDCjgSohsYWmkWOLfdL+9Jzio_uY-vnYVc4fzd6kmGaL46g@mail.gmail.com>
References: <CAEDdnaX_KbaZB=3WzFAp73E0dCxx5zuoqMbPbakMUGpHyRPJFg@mail.gmail.com>
 <b9318b90-f850-12a2-459d-8995220922df@gmail.com> <20160617202344.2868F1A80C02@dd1730.kasserver.com>
 <CAObuZdvZoACWE1bxz2PUMW+yXHxyEtXuYpPXL=6dEqrsakSNBQ@mail.gmail.com>
 <CADqTB_ijxN_ZVcAdLrpnejtYNO2x6Z1Q4PcnARCRE+etDuhF3w@mail.gmail.com> <CANUQDCjgSohsYWmkWOLfdL+9Jzio_uY-vnYVc4fzd6kmGaL46g@mail.gmail.com>
Date: Sun, 19 Jun 2016 09:59:18 +0200
Message-ID: <CADyq6sJmj=bnN+65-59UrsJuuc8dYxP3HPqNOktjnRFexcFVWA@mail.gmail.com>
To: Niklas Keller <me@kelunik.com>
Cc: Rasmus Schultz <rasmus@mindplay.dk>, Ryan Pallas <derokorian@gmail.com>, 
	Stanislav Malyshev <smalyshev@gmail.com>, Thomas Bley <mails@thomasbley.de>, 
	"internals@lists.php.net" <internals@lists.php.net>, michael.vostrikov@gmail.com
Content-Type: multipart/alternative; boundary=089e012294462cc05505359cf8ae
Subject: Re: [PHP-DEV] New escaped output operator
From: ocramius@gmail.com (Marco Pivetta)

--089e012294462cc05505359cf8ae
Content-Type: text/plain; charset=UTF-8

On 19 June 2016 at 09:53, Niklas Keller <me@kelunik.com> wrote:

> Rasmus Schultz <rasmus@mindplay.dk> schrieb am Sa., 18. Juni 2016, 17:44:
>
> Did you know that you can alias namespaces, too?
>
> <?php use My\Stuff\Escape as esc; ?>
> <?=esc\html($str)?>
>
> You can always add more functions to a namespace even spread accross
> multiple files.
>

Pro-userland: quick reminder that a `composer update` is much quicker than
a full system PHP version upgrade.

I'd rather rely on an escaping package written in PHP, easier to maintain
and quicker to upgrade, than something that will likely use some obscure
shared library (or the PHP binary itself) that may not be upgraded for
weird reasons (it's shared, remember?).

I know that you put a lot of effort in security maintenance, but it's still
easier to deal with this stuff in userland in any case, and most templating
languages in common frameworks already inject helpers in the script context
in order to achieve quick, effective and context-aware (no automatic
context detection) escaping.

Marco Pivetta

http://twitter.com/Ocramius

http://ocramius.github.com/

--089e012294462cc05505359cf8ae--