Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94520
Return-Path: <mails@thomasbley.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 36015 invoked from network); 16 Jul 2016 16:35:31 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Jul 2016 16:35:31 -0000
Authentication-Results: pb1.pair.com smtp.mail=mails@thomasbley.de; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=mails@thomasbley.de; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain thomasbley.de from 85.13.128.151 cause and error)
X-PHP-List-Original-Sender: mails@thomasbley.de
X-Host-Fingerprint: 85.13.128.151 dd1730.kasserver.com  
Received: from [85.13.128.151] ([85.13.128.151:43959] helo=dd1730.kasserver.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 02/60-31884-1526A875 for <internals@lists.php.net>; Sat, 16 Jul 2016 12:35:30 -0400
Received: from dd1730.kasserver.com (dd0802.kasserver.com [85.13.143.1])
	by dd1730.kasserver.com (Postfix) with ESMTPSA id 5B7331A8069C;
	Sat, 16 Jul 2016 18:35:26 +0200 (CEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SenderIP: 92.211.161.133
User-Agent: ALL-INKL Webmail 2.11
In-Reply-To: <CAEDdnaWVYbh=t1-bvDh9fixCoC7Be4asoEus=dRhGggx_9VLNg@mail.gmail.com>
References: <CAEDdnaWVYbh=t1-bvDh9fixCoC7Be4asoEus=dRhGggx_9VLNg@mail.gmail.com>
To: internals@lists.php.net, michael.vostrikov@gmail.com
Message-ID: <20160716163526.5B7331A8069C@dd1730.kasserver.com>
Date: Sat, 16 Jul 2016 18:35:26 +0200 (CEST)
Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping
From: mails@thomasbley.de ("Thomas Bley")

if I see it correctly, this is just a framework for defining callbacks to a escaping operator, without a implementation of "html" and "js"?
Not sure if this helps.

Regards
Thomas

Michael Vostrikov wrote on 16.07.2016 17:33:

> Hello.
> I have created RFC about context-dependent escaping operator.
> https://wiki.php.net/rfc/escaping_operator
> 
> Initial discussion was here: http://marc.info/?t=146619199100001
> 
> 
> At first, I wanted to add a call of special function like
> escaper_call($str, $context), which performs html-escaping by default and
> can be replaced with a separate extension for extended work with contexts.
> But then I figured out better variant.
> 
> 
> Main idea.
> 
> Operator has the following form:
> 
> <?* $str ?>
> <?* $str, 'html' ?>
> <?* $str, 'js | html' ?>
> 
> Both expressions can be any type which can be converted to string. Second
> expression is optional.
> 
> I changed '~' sign because it is not present on keyboard layouts for some
> european languages. And also it does not give any error on previous
> versions of PHP with short tags enabled, because this is recognized as
> bitwise operation.
> 
> 
> Operator is compiled into the following AST:
> 
> echo PHPEscaper::escape(first_argument, second_argument);
> 
> Don't you forget that we already have special operator for one function?
> Backticks and shell_exec(). New operator is compiled very similar to it.
> 
> 
> There is a default implementation of the class 'PHPEscaper'. It has 4
> static methods:
> 
> PHPEscaper::escape($string, $context = 'html');
> PHPEscaper::registerHandler($context, $escaper_function);
> PHPEscaper::unregisterHandler($context);
> PHPEscaper::getHandlers();
> 
> Method PHPEscaper::escape($string, $context) splits $context by '|'
> delimiter, all parts are trimmed, and then calls registered handler for
> every context in a chain.
> 'html' is default value for context, and it has special handling.
> If there is no handler for 'html' context, it calls
> htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE);
> 
> 
> We can use it like this:
> 
> <?php
>    // anywhere in application
>    PHPEscaper::registerHandler('html', [MyEscaper, 'escapeHtml']);
>    PHPEscaper::registerHandler('js', function($str) { return
> json_encode($str); });
> ?>
> <?* $str, 'js | html' ?>
> 
> 
> And even more.
> In the AST, 'PHPEscaper' is registered as not fully qualified name
> (ZEND_NAME_NOT_FQ).
> This allows us to use namespaces and autoloading:
> 
> <?php use MyEscaper as PHPEscaper; ?>
> <?* $str, 'js | html' ?>
> 
> MyEscaper::escape($str, 'js | html') will be called.
> 
> 
> In this way we can have autoloading, multiple contexts, HTML escaping by
> default, and full control and customization.
> This is not an operator for one function, just there is one default
> implementation.
> 
> My first goal is to draw the attention on the problem with a security and
> HTML escaping. Exact implementation is secondary thing.
> 
> This small change can really improve a security and make development easier
> in many applications.
> 
> 
> How do you think, maybe also it would be good to create some official poll
> about this feature and to know community opinion about it?
>