Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94127
Return-Path: <michael.vostrikov@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 41070 invoked from network); 19 Jun 2016 16:54:08 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Jun 2016 16:54:08 -0000
Authentication-Results: pb1.pair.com smtp.mail=michael.vostrikov@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=michael.vostrikov@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.171 as permitted sender)
X-PHP-List-Original-Sender: michael.vostrikov@gmail.com
X-Host-Fingerprint: 209.85.220.171 mail-qk0-f171.google.com  
Received: from [209.85.220.171] ([209.85.220.171:34904] helo=mail-qk0-f171.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 5B/BD-18862-F0EC6675 for <internals@lists.php.net>; Sun, 19 Jun 2016 12:53:36 -0400
Received: by mail-qk0-f171.google.com with SMTP id c73so136490018qkg.2
        for <internals@lists.php.net>; Sun, 19 Jun 2016 09:53:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=+VBUSPkVD+ZK/4MiDN7KnN3ZS9ISMzSmLDu5nJtmmfQ=;
        b=Xfi3vPXtC5BvtNML3V4Hsw0OZugFGck4d3ZY6iupYs8rvQJkJFX+FgFtR2ZXgyflb6
         MCP6k5JftgllhIl/aAXET4lDkn2bcHoc5THZp7I1VZmEYRQioe9pIkcxihMoiRYtFsxg
         PsAOq34pIgKnSXJHX0WaQdad6W4QdjrjVfst4ToDy4PZDv4tgxUBK5hPqU86iLhaskAO
         /9xpuNwfTUdCgPLI/ISjjEMSCAoe1gseV9DzTvyhE+nicMHK8zm+qcKZTWHFEM2nQxvA
         6Iq2PJIAMYCzPLGHaLPSY1P8zMEKy1i3EqibjfItTBc2TK5MitQwwWHBcIT1i6LAV8sY
         b6ig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=+VBUSPkVD+ZK/4MiDN7KnN3ZS9ISMzSmLDu5nJtmmfQ=;
        b=UAzUpzp2GRc3ABmjG3UGiDGCCd+G7lP/lFkKkP4VCaYUhvLPhsIkcNtBvv0P4k8yy1
         S4ubWpvYkNT6S3FiDrod8ltVrofiFtXdWWjI2pKLZu5VI+KjmiEJF4ofV+KbH5iuBL/7
         9/lKmMmz8DEGARnz0Almn2+6pf7MRivR2nI0FBQEIGc5H2WDAlVz44Bk6W3z1T11g2Wn
         w3Rl3PVl2vfW7KCKiPiOvVerI/6+1Kg42d7i3SDK5G58l25wZESvZ73W83V2feG9nutv
         mFRI18SFHFl50OPVJKPqdW2UzXcfSTcJv5K9zOJIPZabg+6FwG6yYQY98n6zPd6IlztO
         FrtQ==
X-Gm-Message-State: ALyK8tIcXap6bDQ0zluGUx9ednaH2qQlxE3zB0vglBC9KkkP1EKTQCKpsZOJ1uPpgVcH0IR3cFnmW8Xfjn/ohw==
X-Received: by 10.55.121.67 with SMTP id u64mr16720719qkc.188.1466355213349;
 Sun, 19 Jun 2016 09:53:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.53.71 with HTTP; Sun, 19 Jun 2016 09:53:32 -0700 (PDT)
In-Reply-To: <20160619160904.BEC561A80644@dd1730.kasserver.com>
References: <CAEDdnaX_KbaZB=3WzFAp73E0dCxx5zuoqMbPbakMUGpHyRPJFg@mail.gmail.com>
 <b9318b90-f850-12a2-459d-8995220922df@gmail.com> <20160617202344.2868F1A80C02@dd1730.kasserver.com>
 <CAObuZdvZoACWE1bxz2PUMW+yXHxyEtXuYpPXL=6dEqrsakSNBQ@mail.gmail.com>
 <CADqTB_ijxN_ZVcAdLrpnejtYNO2x6Z1Q4PcnARCRE+etDuhF3w@mail.gmail.com>
 <CANUQDCjgSohsYWmkWOLfdL+9Jzio_uY-vnYVc4fzd6kmGaL46g@mail.gmail.com>
 <CADyq6sJmj=bnN+65-59UrsJuuc8dYxP3HPqNOktjnRFexcFVWA@mail.gmail.com>
 <CAEDdnaUz3_6sVN07G+KF15B0avDoTV85UiR1mLie-F3orMrUog@mail.gmail.com> <20160619160904.BEC561A80644@dd1730.kasserver.com>
Date: Sun, 19 Jun 2016 21:53:32 +0500
Message-ID: <CAEDdnaX759Tdp4AdgzcHTk5r4YagsNC5mRZRVUcgbhT0NL_fGA@mail.gmail.com>
To: Thomas Bley <mails@thomasbley.de>
Cc: Marco Pivetta <ocramius@gmail.com>, Niklas Keller <me@kelunik.com>, 
	Rasmus Schultz <rasmus@mindplay.dk>, Ryan Pallas <derokorian@gmail.com>, 
	Stanislav Malyshev <smalyshev@gmail.com>, internals@lists.php.net
Content-Type: multipart/alternative; boundary=94eb2c0578d09b37190535a46dbb
Subject: Re: [PHP-DEV] New escaped output operator
From: michael.vostrikov@gmail.com (=?UTF-8?B?0JzQuNGF0LDQuNC7INCS0L7RgdGC0YDQuNC60L7Qsg==?=)

--94eb2c0578d09b37190535a46dbb
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Please give me RFC karma. My wiki account is "michael-vostrikov". I plan to
create an RFC for this feature.

2016-06-19 21:09 GMT+05:00 Thomas Bley <mails@thomasbley.de>:

> I think it's best to create a rfc and put it to vote:
> https://wiki.php.net/rfc/howto
>
> Having <?~ makes it a lot easier to do code reviews.
> I also think majority of use cases is <?~, other parts can use
> json_encode(), filter_var() and other filters/escapers.
>
> Regards
> Thomas
>
> =D0=9C=D0=B8=D1=85=D0=B0=D0=B8=D0=BB =D0=92=D0=BE=D1=81=D1=82=D1=80=D0=B8=
=D0=BA=D0=BE=D0=B2 wrote on 19.06.2016 10:38:
>
> > Guys, wait please) I don't suggest escaping package for all contexts an=
d
> > for all cases. This is not what I described in my first letter. My poin=
t
> is
> > that the main job of echo operator "<?=3D ?>" is output an unknown valu=
e
> from
> > database to an HTML environment. So in all this places we should
> copy-pase
> > the call of htmlspecialchars() to prevent XSS. There are many projects
> > which is written on custom engines, or frameworks, or CMS, and they doe=
s
> > not have any templating engine, and there is no possibility to rewrite
> many
> > working PHP templates to Twig, or Smarty, or something else.
> >
> > I suggest new simple operator "<?~ ?>" which will automatically wrap th=
e
> > output value in htmlspecialchars(). It is intended specially for HTML,
> not
> > for XML or JS. It does not require any php.ini settings, new classes or
> > constants. The reason for implementing it is the same as for implementi=
ng
> > "??", or "<=3D>", or "<?=3D ?>" operators - make better usual and often
> > operations, descrease copy-paste, and increase security. I can implemen=
t
> it
> > myself and send a patch.
> >
> > What do you think?
> >
>
>

--94eb2c0578d09b37190535a46dbb--