Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94353 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 42808 invoked from network); 1 Jul 2016 11:47:01 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 1 Jul 2016 11:47:01 -0000 Authentication-Results: pb1.pair.com header.from=davey@php.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=me@daveyshafik.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain daveyshafik.com from 209.85.220.181 cause and error) X-PHP-List-Original-Sender: me@daveyshafik.com X-Host-Fingerprint: 209.85.220.181 mail-qk0-f181.google.com Received: from [209.85.220.181] ([209.85.220.181:35105] helo=mail-qk0-f181.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7E/00-42270-23856775 for ; Fri, 01 Jul 2016 07:46:59 -0400 Received: by mail-qk0-f181.google.com with SMTP id a125so197608083qkc.2 for ; Fri, 01 Jul 2016 04:46:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=php-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hS1yA2qszClvh8OmcOeVUd1yAF/Y9vIF2yHBWjry+8w=; b=Yfm5QtVkEsMoOXd0CgzcQDE4NVlC9seMf5CVjSrvxLoTejHJ1BiTNXztnpGfUKNavW jvS8VlsHg30zpprXQVR5iDfPYxNguRTJvDLePNMAy6etjKTjnrg3s8keGjYNG3NReDOn 0mOt0r0Chom9wVnvgXz/Rufq08qVRiTRyHRLFASmuNlZoGBsqkmFMxqcZjOwWZFokwug ITVtTP8jof9bEiCAe85Ie0WLdjmbVJ+NMBSNPBlsP5ELByXw3wAbhqT9Xk6ZGY4iMjAQ a6GbAYMN32kN2kuIE7CPLTlR0fSpOkjH7kkK8xZSo338bjRS77wZnvFQ3nC1bG9mGQ+l t3GA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hS1yA2qszClvh8OmcOeVUd1yAF/Y9vIF2yHBWjry+8w=; b=mfW5bXX6B1SmSFJX53tyDhI3i00Rd5xiZfzhfyMq43cq6k8NX/ChE2zkUDDrEQdZkf NrDyw1yeA2PdR0rpXO624Zh1s9FV2LR+aE1Ys63XJojvg7QfO8BGWXB9b4EzhqJzrH/f 5PNlzySMJLXagYYLrlopy+OvgSsFfslC+YTN3VZfxR66fTas10bwCktOxOb+qS9ahcyu 7GPrvdNf1sl6OcpwDfLMWSOhUV6VXUGGV8dJFSHQeETNy+UHZTmEbLq0fH9HGe7NY0ta MyNvex6JvUWKgj02pcE2o1pi2BMg/5LNEylFOanqJdslyZF/EKObRN1z7zJhKagSqCee l1FQ== X-Gm-Message-State: ALyK8tIMYTuz9TGWIkWWspyBXQBJr7HDa3Y9yLCvqWHTLv4upc70w8MNNBdbYtfCUNUgTfKkd4ee4QgNefAIwHIL X-Received: by 10.55.70.66 with SMTP id t63mr27698998qka.162.1467373615993; Fri, 01 Jul 2016 04:46:55 -0700 (PDT) MIME-Version: 1.0 References: <20160620222835.BC26C1A80609@dd1730.kasserver.com> <14352177-1b49-e2ed-56a3-9a770d0ebf95@gmail.com> <7fb2d4d0-551e-97a0-72cd-1b6401881f97@fischer.name> In-Reply-To: Date: Fri, 01 Jul 2016 11:46:41 +0000 Message-ID: To: Eugene Leonovich , =?UTF-8?B?0JzQuNGF0LDQuNC7INCS0L7RgdGC0YDQuNC60L7Qsg==?= Cc: PHP Internals Content-Type: multipart/alternative; boundary=001a114aabcc2275570536918bf4 Subject: Re: [PHP-DEV] New escaped output operator From: davey@php.net (Davey Shafik) --001a114aabcc2275570536918bf4 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable All, Anybody can write an RFC and call a vote whenever they want within the guidelines set forth for RFCs. It would be much more productive to get the RFC written and to provide suggestions on improvements (e.g. syntax choice, default options, ways to customize), rather battling against it. Or stay quite and vote no. Or do both. I am personally against this idea as it stands but maybe there is a middle ground and maybe some good can come of it. For example, autoloading functions. As a suggestion: Perhaps the ability to register a default stream filter for the default output buffer paired with file level declarations and/or context tagging within blocks is a possible solution. So something like: declare(strict_types=3D1; output_filter_args=3D['label' =3D> [ENT_QUOTES | ENT_SUBSTITUTE]]); // must be constant scalar expression? // Would be passed in directly as is, the choice for an array with context aware keys/values is up to you register_output_filter(function($buffer, $label) { }, 'label'); // should have similar API to spl autoloading, with multiple callback stack ---- Something like this would start to solve some of the problems of context, default arguments, etc. I think functions to set the filter options might be better but using declare makes it easier to limit to current file scope and ensures consistent placement at top. Also I realize I said to use stream filters and I've used a closure here. Stream filters are complex due to the whole bucket brigade/continuous data stream thing, but have the advantage of being much more performant and resource friendly. Maybe allow both types? Simple callbacks for ease of use, stream filters for performance and complex stuffs. TL;DR: what's your account? Let's give RFC karma and vote it down if you don't want it. - Davey On Fri, Jul 1, 2016 at 02:19 Eugene Leonovich wrote: > On Fri, Jul 1, 2016 at 10:51 AM, =D0=9C=D0=B8=D1=85=D0=B0=D0=B8=D0=BB =D0= =92=D0=BE=D1=81=D1=82=D1=80=D0=B8=D0=BA=D0=BE=D0=B2 < > michael.vostrikov@gmail.com> wrote: > > > > I can easier add a new template to e.g. a Laravel > > > project (own parser, own extension, living next to existing blade > > templates) > > > > Your project already has a template engine, and framework has common co= de > > which works with such engines. > > But how much time do you need to convert all existing templates to a ne= w > > TE? > > > > I mean the projects without template engine, which work and are develop= ed > > every day. > > Their number is rather large - various CMSs, projects with custom core, > Yii > > and Zend don't have TE by default. > > In a big project there are a lot of PHP templates with htmlspecialchars > > ?> or or everywhere. > > If we miss this somewhere, we could got an XSS. > > > > > > 2016-07-01 12:53 GMT+05:00 Markus Fischer : > > > > > On 01.07.16 05:34, =D0=9C=D0=B8=D1=85=D0=B0=D0=B8=D0=BB =D0=92=D0=BE= =D1=81=D1=82=D1=80=D0=B8=D0=BA=D0=BE=D0=B2 wrote: > > > > Because it is almost impossible to add template engine in a big > project > > > > with PHP templates. But new version of language usually can easily = be > > > used. > > > > > > I interpret "But new version of language usually can easily be used" = as > > > in a new PHP version being installed on a server touted as being > > > "easier" than changing/replaced/adding a new template language > component > > > with a framework? > > > > > > I object to this. I can easier add a new template to e.g. a Laravel > > > project (own parser, own extension, living next to existing blade > > > templates) then switching to a new PHP version on production servers. > > > > > > - Markus > > > > > > -- > > > PHP Internals - PHP Runtime Development Mailing List > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > > In a big project there are a lot of PHP templates with htmlspecialchars > ?> or or everywhere. > > How will a new output operator help in this case? You still have to searc= h > for ` Saying that one can forget to add ` well, you can miss ` result at the end. > > -- > Thank you and best regards, > Eugene Leonovich > --001a114aabcc2275570536918bf4--