Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94326
Return-Path: <michael.vostrikov@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 65191 invoked from network); 29 Jun 2016 16:39:59 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 Jun 2016 16:39:59 -0000
Authentication-Results: pb1.pair.com smtp.mail=michael.vostrikov@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=michael.vostrikov@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.171 as permitted sender)
X-PHP-List-Original-Sender: michael.vostrikov@gmail.com
X-Host-Fingerprint: 209.85.220.171 mail-qk0-f171.google.com  
Received: from [209.85.220.171] ([209.85.220.171:35396] helo=mail-qk0-f171.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 42/51-52520-9D9F3775 for <internals@lists.php.net>; Wed, 29 Jun 2016 12:39:53 -0400
Received: by mail-qk0-f171.google.com with SMTP id a125so97585917qkc.2
        for <internals@lists.php.net>; Wed, 29 Jun 2016 09:39:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=yn2Tuytjw/PHUB4B882taJXCKTEWrbHQQvgecfpuAhM=;
        b=NgRh2+kssTDgGZ0+m96vicMPPKXW0QB9kZpCnq4CKWPEqGF5Fbk990EklieJkZKbK2
         af9R7ZXlsy6N7gIGKtjEh885f1kj9Z3ws16zasq5mPhzsL9nZohdGhD4VAcotFGYXXuq
         3ZsKWGLi8Lqx++trhyLYYNPaYG1pRA8T7kYQ/MfsulomwU4OuId6bIjZul6qgck+Lt2z
         jPdxb737Jxcf75AS+eTbhtJudeq/XKHoK4eIHtxCA7CZYZmbfHZBp/VfnwgaE5tXX6KK
         YfFx2K9kDcL+0fvVrI//UGELegESde/a0yzTh6MOJbUFHZ6GhqSejTlHG2hQJSpq3zse
         V01w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=yn2Tuytjw/PHUB4B882taJXCKTEWrbHQQvgecfpuAhM=;
        b=T/DRyM/p3ujoCh5o4ziHWGb2C2793L/HPKOzW8/WVMJh80FRivYaKmw6p3vzmLMzAT
         +v4uowLp8bvzK1TTbYet0Tc6tDtR4+bWL0MUnYmDGfa7oqB1u4N10JC8toI3ikX3MtMN
         n/W3AE4m9m2j0Y3xEhxzeC5Nzj4rpVJpWbx8iDSomfX1JGlX3XsmrRPBV95TFJGDHBIv
         kIDen8T6zocsbIpdQEUbmBW7ORMf5jhWUPpKhzy0wgn65DA0QKRgwyNIjjWvINLUbcpT
         Icgzccc/TLvacYTIYk6/zahIjNMGYaOichx+fjarIbWg24dKsr0eLznoc7JbbKA+jhsu
         Qz3g==
X-Gm-Message-State: ALyK8tIBlEoRgfo+MpX9xFv8YM/vXAbO+YWQUPEOSi7KW6Tcel7zXTg/J+3IurAYhYyOBPGI0SbspUKlWP8fbA==
X-Received: by 10.55.129.135 with SMTP id c129mr11839669qkd.174.1467218390971;
 Wed, 29 Jun 2016 09:39:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.53.71 with HTTP; Wed, 29 Jun 2016 09:39:49 -0700 (PDT)
In-Reply-To: <CAEDdnaU35=jGotCRVHx8=i7JnTg7yZOffr4dZtTDJ9vhqTNqtw@mail.gmail.com>
References: <20160620222835.BC26C1A80609@dd1730.kasserver.com>
 <14352177-1b49-e2ed-56a3-9a770d0ebf95@gmail.com> <CAEDdnaU35=jGotCRVHx8=i7JnTg7yZOffr4dZtTDJ9vhqTNqtw@mail.gmail.com>
Date: Wed, 29 Jun 2016 21:39:49 +0500
Message-ID: <CAEDdnaUo=QwDejnJ64ziY2i-9KbMBgvN-_T7pzR8FfXBK3QHQA@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: Thomas Bley <mails@thomasbley.de>, PHP Internals <internals@lists.php.net>, 
	rowan.collins@gmail.com
Content-Type: multipart/alternative; boundary=94eb2c05dff4007b4505366d674d
Subject: Re: [PHP-DEV] New escaped output operator
From: michael.vostrikov@gmail.com (=?UTF-8?B?0JzQuNGF0LDQuNC7INCS0L7RgdGC0YDQuNC60L7Qsg==?=)

--94eb2c05dff4007b4505366d674d
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hello. I've created an article on russian technical site habrahabr.ru.
https://habrahabr.ru/post/304162/

There is a poll about introducing of such operator. About 60% from those
people who have projects without template engine are "for" this operator.
And even a half of those who don't also think that such operator can be
useful.

I think you can use Google Translate to read it, common sense and code
examples should be understandable.
https://translate.google.com/translate?sl=3Den&tl=3Dru&js=3Dy&prev=3D_t&hl=
=3Dru&ie=3DUTF-8&u=3Dhttps%3A%2F%2Fhabrahabr.ru%2Fpost%2F304162%2F&edit-tex=
t=3D&act=3Durl

Current results:


How often do you work with the projects with template rendering on PHP
where template engines are not used?
35% (163)  Always
22% (104)  Quite often
18% (86)   Quite rare
25% (117)  Almost never

Voted 470 people. Abstained 116 people.


How do you think, such an operator would be useful?
56% (264)  Yes
44% (207)  No

Voted 471 people. Abstained 121 people.


I don't use PHP teplate rendering ...
51% (147)  and I think that such an operator is not needed
49% (139)  but I think that such an operator will come in handy

Voted 286 people. Abstained 247 people.


Screenshot in Russian:
https://habrastorage.org/files/675/9ac/883/6759ac8834044ef0b5a09163c791f376=
.png


60% are "for" this operator, projects of others 40% will not be affected.
I think this is a good reason to create an RFC and discuss it on more
global level.



2016-06-21 9:51 GMT+05:00 =D0=9C=D0=B8=D1=85=D0=B0=D0=B8=D0=BB =D0=92=D0=BE=
=D1=81=D1=82=D1=80=D0=B8=D0=BA=D0=BE=D0=B2 <michael.vostrikov@gmail.com>:

> > So, not needed in all 3 cases then...
> So, we can still use <?=3D operator.
>
>
> >> Imagine that urlencode does not encode quotes - what function should w=
e
> >> call for its result?
> > Ideally, an escape filter that performs both functions; if the aim is t=
o
> make things easier
> No. The second function really depends on context, but HTML context is
> always present. The aim is to create a shortcut for HTML escaping, decrea=
se
> copy-paste, and increase security.
>
>
> > I shouldn't need to think about the need to nest two escape functions.
> > the claim of "secure by default" doesn't really stand up.
> This is about super-universal-operator. I did not suggest "secure by
> default". As Thomas said, this is just an alias, not more, not less.
>
>
> > <script>$('[data-thing-id=3D"<?~ $thing['name'] ?>]').on('click',
> function(){doThing('<?~ $thing['name'] ?>'});</script>
> > I'm pretty sure the tempting syntax is actively harmful in that
> situation...
> You should not call htmlspecialchars inside script tags, even without <?~
> operator. Because this is not an HTML context.
>
>
> > HackLang's XHP is another - rather than thinking about escaping as an
> action
> > If the compiler could look at my previous example and recognise the
> attribute, URL, script, and text contexts itself
> This is very complex solution, and it can make some issues with
> performance. Also, as I understand, it just calls htmlspecialchars.
> https://github.com/facebook/xhp-lib/blob/master/src/core/XHP.php#L68
> https://github.com/facebook/xhp-lib/blob/master/src/html/Element.php#L122
>
>
> > what is the correct escape method for an attribute named "data-my-actio=
n"
> It should be HTML-encoded, because it is HTML markup.
>
>
> > And that is exactly the problem. Inventing operators to alias one
> > invocation of one function with one specific set of parameters is not a
> > good idea, unless there is a *VERY* good reason to do it.
> The call of htmlspecialchars is very frequent case, specific set of
> parameters (HTML context) is always present. Is it a very good reason?
>
>
> > And the case for this specific piece of code to deserve its own operato=
r
> is rather weak.
> Why do you think so, why is it weak?) As I showed, HTML context is always
> present, even if we write inline javascript in 'onclick' attribute.
> This is not another context, there are 2 contexts together, and there is
> no needs to determine it inside compiler - one context is always here.
> So, it deserve its own operator.
>
>
>
> Let's summarize.
>
> We must not call htmlspecialchars() in the following cases:
>
> Inside <style> tag
> This is very specific case. CSS is usually stored in static files.
>
> Inside <script> tag
> This is more frequent case, but usually it is used when we need to pass a
> big object from PHP into Javascript. And here is not just escaping, here =
is
> a special notation - JSON.
> For small pieces of data JSON also can be used, but it's better to use
> data-attributes. And here we need to call htmlspecialchars.
>
> Text files
> Text files with PHP processing can be used in code generators. Standart
> <?=3D operator is enough here.
>
> Any other cases and their combinations are very specific. For XML
> htmlspecialchars is also enough.
>
> So, my question is - can I create an RFC or there are any arguments
> against? I think I explained why all arguments above are unsuitable.
>
>
>
>
> 2016-06-21 4:35 GMT+05:00 Stanislav Malyshev <smalyshev@gmail.com>:
>
>> Hi!
>>
>> > As mentioned a few times in this thread, <?~ is an alias for <?=3D
>> htmlspecialchars(, not more, not less.
>>
>> And that is exactly the problem. Inventing operators to alias one
>> invocation of one function with one specific set of parameters is not a
>> good idea, unless there is a *VERY* good reason to do it. And the case
>> for this specific piece of code to deserve its own operator is rather
>> weak.
>>
>> --
>> Stas Malyshev
>> smalyshev@gmail.com
>>
>> --
>> PHP Internals - PHP Runtime Development Mailing List
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>

--94eb2c05dff4007b4505366d674d--