Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94596
Return-Path: <michael.vostrikov@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 92164 invoked from network); 20 Jul 2016 19:55:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Jul 2016 19:55:44 -0000
Authentication-Results: pb1.pair.com header.from=michael.vostrikov@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=michael.vostrikov@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.179 as permitted sender)
X-PHP-List-Original-Sender: michael.vostrikov@gmail.com
X-Host-Fingerprint: 209.85.220.179 mail-qk0-f179.google.com  
Received: from [209.85.220.179] ([209.85.220.179:33866] helo=mail-qk0-f179.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 45/D3-52781-F37DF875 for <internals@lists.php.net>; Wed, 20 Jul 2016 15:55:44 -0400
Received: by mail-qk0-f179.google.com with SMTP id o67so55501490qke.1
        for <internals@lists.php.net>; Wed, 20 Jul 2016 12:55:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:cc;
        bh=Vr2flxY9bb03OA/oWcjqVHRomQN1cDKgdwhejC4scNw=;
        b=FEFGGtyTIjJswaQgZ+ZCOaUigijV0nd6GJ3M1AnZwmGcafr2Ys7dsXvc2RRDBstTpe
         xQl+57zuYOHZQwjMm3JgTvMfhJ8PSzm1qrVDKIrbpyjyu50iHOtdYBFW8fLcm8Sak7k+
         5kp3CQW9c8H5hc/e+3LCLnzw7EfA0xzsG04747iZrj9OTn/WkTs9+9pZorONp7bCe48R
         PVWIJ+jPR+renGPHmyq8NmwtAx+JcwX5KIKiE2oEHkAJJvwCPBtLDEdZBpsErN1bG3ga
         9cHlHqqe/2c1qqhE0R4H9NTh/TYFdNWiknrrA893zgagsEwBQD8hH2FXF1bIFedLQxk5
         6C+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:cc;
        bh=Vr2flxY9bb03OA/oWcjqVHRomQN1cDKgdwhejC4scNw=;
        b=GbAv2fVGHPbhPa1IMJkmKpyXAUR1N5ufibBs+liNaxTzswbmYbxzmXQd8ew2yKl5JT
         BkkZ5ymoY8JFMrpc6TZDkHVTu1vvwcCTKNkq3NXXQyN9htOgYJhJTHXnlwmGQ30rd2BO
         OjH8mTlF4v6qbWY1GgrpkxJS3/6j63ljJjTfmS8jFc6KQDX3fx7ebgG6kmUBOIiQClDB
         wlE1k/aUcZcHzBig0/o0pJkXn5/DEkCoAWHBNMEWQ9mxkjwffUeqtGj5Izjw6Fwz69Ey
         4mw1kheXP9rfZctSOGvloV7RYvNmKF9NOBQTpn0PxnPkqiWXlZGAqg9eCcys9y/pwx43
         nQrg==
X-Gm-Message-State: ALyK8tLIOqe4piT+hVLo/8XVHW0KRh+TWwIrKViiXVB1uZnC9kBdQvyM+yR1PU2UC1+u4LG5FbNCpufAVsINWw==
X-Received: by 10.55.129.71 with SMTP id c68mr61092030qkd.174.1469044540210;
 Wed, 20 Jul 2016 12:55:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.189.135 with HTTP; Wed, 20 Jul 2016 12:55:39 -0700 (PDT)
In-Reply-To: <CAObuZdv+UJsSLeNAPf5s5AXh0sMHG+VG9Ai=5m5y2tu9h6vZAA@mail.gmail.com>
References: <CAEDdnaWVYbh=t1-bvDh9fixCoC7Be4asoEus=dRhGggx_9VLNg@mail.gmail.com>
 <CADqTB_ikRepsbO_9vhw568=SaypdPh-z+FzOEr4yji1LibVbjQ@mail.gmail.com>
 <CAEDdnaVtb8eboyNpr8CjzysHvKiG26bHPy7eiH76PVMPrYNW+A@mail.gmail.com>
 <CADqTB_jV9-SQmLknWoXx_uC5ThHynSfqcTdUC+E2TwirOpXR8g@mail.gmail.com>
 <CAOsHV+ujFjKP8AL+R171pFTPnwfN2nC7_TViD=qZtOVGEDyebA@mail.gmail.com>
 <CAEDdnaVFzxq5PEXMAkuAYWg9zeL4yWz2pLpv6RyCcB-rvZJ_RA@mail.gmail.com>
 <CAEDdnaUJ4y_1+hVY6cguRivZnvQTCt0=rhVz=nJSPkqJ7aASuA@mail.gmail.com>
 <CAEDdnaV_awP5g4Ee-acVxd7+LYWot2K0-ZEUbWCzc6me5vAFmw@mail.gmail.com>
 <CABdc3WoyJUGSE688S2A_wh064bgmdkPMKgRM31T56pex5Xry+w@mail.gmail.com>
 <CAEDdnaVqzP6oOjcQWWNGenYHgJtNDvCgi_J-y-fsr_bFv3FW9g@mail.gmail.com>
 <CABdc3WrwCcWzbmJC+JRZqZ0HcHj2pDeEO9MfdLUz5V23TGrGRQ@mail.gmail.com>
 <CABdc3WpGYg5t=WRJP0+Z28qfXJ2A+w-7qQC86umCWwFX+hoRcw@mail.gmail.com>
 <CAEDdnaX0-iOcA5PEEqx_nnt1ASMjt_hU1959O69eMoFHZdUH-w@mail.gmail.com> <CAObuZdv+UJsSLeNAPf5s5AXh0sMHG+VG9Ai=5m5y2tu9h6vZAA@mail.gmail.com>
Date: Thu, 21 Jul 2016 00:55:39 +0500
Message-ID: <CAEDdnaUfdUvqKR6jqpoC8Z65VXHSSY6K1buAeT94cdsJHy3-HA@mail.gmail.com>
Cc: PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=94eb2c06266afa8425053816951d
Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping
From: michael.vostrikov@gmail.com (Michael Vostrikov)

--94eb2c06266afa8425053816951d
Content-Type: text/plain; charset=UTF-8

> <?= $this->escapeHtml($value); ?>
> I don't see what is hard in using that syntax, plus it's not a global
registry.
> if people aren't using templating and haven't written any of their own
wrappers to sanitize the output

They HAVE own wrappers. The problem is that unsafe variant works good, but
unsafe variant should not work good.
The problem is that they have to keep in mind that they need always write a
wrapper, they always need to repeat the same action again. And somewhen
they just miss this and get possible problems with security.
The problem is that this is very frequent case, so we need a tool for this
case, which will prevent wrong work (XSS in particular).

We always perform an output to some context. Why just not to add an easy
tool for work with contexts?
This is just one call - PHPEscaper::escape(). Consider it like a Facade
pattern.


> what's going to drive them to change?

Why then many people are asking about this feature?
In my RFC there are 10 links to similar discussions. They are from those
people who was not lazy to write to mailing list or bug-tracker.
There are also the results of the poll - 286 people are for this operator
(now 320, after I wrote about implementation with contexts).

And in first message I asked about official poll from PHP developers. Why
not conduct it?

--94eb2c06266afa8425053816951d--