Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94124
Return-Path: <mails@thomasbley.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33156 invoked from network); 19 Jun 2016 16:09:11 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Jun 2016 16:09:11 -0000
Authentication-Results: pb1.pair.com smtp.mail=mails@thomasbley.de; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=mails@thomasbley.de; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain thomasbley.de from 85.13.128.151 cause and error)
X-PHP-List-Original-Sender: mails@thomasbley.de
X-Host-Fingerprint: 85.13.128.151 dd1730.kasserver.com  
Received: from [85.13.128.151] ([85.13.128.151:42790] helo=dd1730.kasserver.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 60/7C-18862-4A3C6675 for <internals@lists.php.net>; Sun, 19 Jun 2016 12:09:08 -0400
Received: from dd1730.kasserver.com (dd0800.kasserver.com [85.13.143.204])
	by dd1730.kasserver.com (Postfix) with ESMTPSA id BEC561A80644;
	Sun, 19 Jun 2016 18:09:04 +0200 (CEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-SenderIP: 95.91.212.214
User-Agent: ALL-INKL Webmail 2.11
In-Reply-To: <CAEDdnaUz3_6sVN07G+KF15B0avDoTV85UiR1mLie-F3orMrUog@mail.gmail.com>
References: <CAEDdnaX_KbaZB=3WzFAp73E0dCxx5zuoqMbPbakMUGpHyRPJFg@mail.gmail.com> <b9318b90-f850-12a2-459d-8995220922df@gmail.com> <20160617202344.2868F1A80C02@dd1730.kasserver.com> <CAObuZdvZoACWE1bxz2PUMW+yXHxyEtXuYpPXL=6dEqrsakSNBQ@mail.gmail.com> <CADqTB_ijxN_ZVcAdLrpnejtYNO2x6Z1Q4PcnARCRE+etDuhF3w@mail.gmail.com> <CANUQDCjgSohsYWmkWOLfdL+9Jzio_uY-vnYVc4fzd6kmGaL46g@mail.gmail.com> <CADyq6sJmj=bnN+65-59UrsJuuc8dYxP3HPqNOktjnRFexcFVWA@mail.gmail.com><CAEDdnaUz3_6sVN07G+KF15B0avDoTV85UiR1mLie-F3orMrUog@mail.gmail.com>
To: ocramius@gmail.com, michael.vostrikov@gmail.com
Cc: me@kelunik.com, rasmus@mindplay.dk, derokorian@gmail.com, smalyshev@gmail.com, internals@lists.php.net
Message-ID: <20160619160904.BEC561A80644@dd1730.kasserver.com>
Date: Sun, 19 Jun 2016 18:09:04 +0200 (CEST)
Subject: Re: [PHP-DEV] New escaped output operator
From: mails@thomasbley.de ("Thomas Bley")

I think it's best to create a rfc and put it to vote: https://wiki.php.net/rfc/howto

Having <?~ makes it a lot easier to do code reviews.
I also think majority of use cases is <?~, other parts can use json_encode(), filter_var() and other filters/escapers.

Regards
Thomas

Михаил Востриков wrote on 19.06.2016 10:38:

> Guys, wait please) I don't suggest escaping package for all contexts and
> for all cases. This is not what I described in my first letter. My point is
> that the main job of echo operator "<?= ?>" is output an unknown value from
> database to an HTML environment. So in all this places we should copy-pase
> the call of htmlspecialchars() to prevent XSS. There are many projects
> which is written on custom engines, or frameworks, or CMS, and they does
> not have any templating engine, and there is no possibility to rewrite many
> working PHP templates to Twig, or Smarty, or something else.
> 
> I suggest new simple operator "<?~ ?>" which will automatically wrap the
> output value in htmlspecialchars(). It is intended specially for HTML, not
> for XML or JS. It does not require any php.ini settings, new classes or
> constants. The reason for implementing it is the same as for implementing
> "??", or "<=>", or "<?= ?>" operators - make better usual and often
> operations, descrease copy-paste, and increase security. I can implement it
> myself and send a patch.
> 
> What do you think?
> 
> 
> 2016-06-19 12:59 GMT+05:00 Marco Pivetta <ocramius@gmail.com>:
> 
>> On 19 June 2016 at 09:53, Niklas Keller <me@kelunik.com> wrote:
>>
>>> Rasmus Schultz <rasmus@mindplay.dk> schrieb am Sa., 18. Juni 2016, 17:44:
>>>
>>> Did you know that you can alias namespaces, too?
>>>
>>> <?php use My\Stuff\Escape as esc; ?>
>>> <?=esc\html($str)?>
>>>
>>> You can always add more functions to a namespace even spread accross
>>> multiple files.
>>>
>>
>> Pro-userland: quick reminder that a `composer update` is much quicker than
>> a full system PHP version upgrade.
>>
>> I'd rather rely on an escaping package written in PHP, easier to maintain
>> and quicker to upgrade, than something that will likely use some obscure
>> shared library (or the PHP binary itself) that may not be upgraded for
>> weird reasons (it's shared, remember?).
>>
>> I know that you put a lot of effort in security maintenance, but it's
>> still easier to deal with this stuff in userland in any case, and most
>> templating languages in common frameworks already inject helpers in the
>> script context in order to achieve quick, effective and context-aware (no
>> automatic context detection) escaping.
>>
>> Marco Pivetta
>>
>> http://twitter.com/Ocramius
>>
>> http://ocramius.github.com/
>>
>>
>