Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94165 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 81115 invoked from network); 20 Jun 2016 22:28:39 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Jun 2016 22:28:39 -0000 Authentication-Results: pb1.pair.com smtp.mail=mails@thomasbley.de; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=mails@thomasbley.de; sender-id=unknown Received-SPF: error (pb1.pair.com: domain thomasbley.de from 85.13.128.151 cause and error) X-PHP-List-Original-Sender: mails@thomasbley.de X-Host-Fingerprint: 85.13.128.151 dd1730.kasserver.com Received: from [85.13.128.151] ([85.13.128.151:56239] helo=dd1730.kasserver.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id EC/4A-16093-61E68675 for ; Mon, 20 Jun 2016 18:28:39 -0400 Received: from dd1730.kasserver.com (dd0801.kasserver.com [85.13.143.205]) by dd1730.kasserver.com (Postfix) with ESMTPSA id BC26C1A80609; Tue, 21 Jun 2016 00:28:35 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SenderIP: 95.91.213.149 User-Agent: ALL-INKL Webmail 2.11 To: internals@lists.php.net, rowan.collins@gmail.com Message-ID: <20160620222835.BC26C1A80609@dd1730.kasserver.com> Date: Tue, 21 Jun 2016 00:28:35 +0200 (CEST) Subject: Re: [PHP-DEV] New escaped output operator From: mails@thomasbley.de ("Thomas Bley") Of course you can make the discussion endless by mentioning escaping of all kinds of third party frameworks like jQuery, but that's a bit off-topic here. As mentioned a few times in this thread, ... when I click reply :) Rowan Collins wrote on 21.06.2016 00:00: > On 20 June 2016 17:40:05 GMT+01:00, "Михаил Востриков" > wrote: >>Actually, htmlspecialchars() is needed in all three cases: > ... >>You may not write htmlspecialchars together with urlencode just because >>urlencode encodes all special characters with its own way. > > So, not needed in all 3 cases then... > > >>Imagine that urlencode does not encode quotes - what function should we >>call for its result? > > Ideally, an escape filter that performs both functions; if the aim is to make > things easier, I shouldn't need to think about the need to nest two escape > functions. If I still have to use non-obvious combinations of magic syntax plus > function calls, the claim of "secure by default" doesn't really stand up. The ~ > becomes nothing more than an alias that I still need to remember when to > deploy. > > > > I'm pretty sure the tempting syntax is actively harmful in that situation... > >>The fact itself, that there were many discussions about it, indicates >>that >>it is a necessary feature. > > Popularity is not the same thing as necessity. More relevantly, even when we > agree on the problem, the simple solution isn't always the best, sometimes it > pays to think a bit more broadly about the problem space. Larry's escaper > registration is one example of that. > > HackLang's XHP is another - rather than thinking about escaping as an action, > it gives the compiler richer knowledge of the structure, so it can "know" the > right escape syntax. If the compiler could look at my previous example and > recognise the attribute, URL, script, and text contexts itself, then you really > would have security-by-default. Unfortunately, that too is tricky to generalise > - what is the correct escape method for an attribute named "data-my-action"...? > > Regards, > > -- > Rowan Collins > [IMSoP] > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >