Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94615 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 85286 invoked from network); 21 Jul 2016 14:24:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Jul 2016 14:24:25 -0000 Authentication-Results: pb1.pair.com header.from=michael.vostrikov@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=michael.vostrikov@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.171 as permitted sender) X-PHP-List-Original-Sender: michael.vostrikov@gmail.com X-Host-Fingerprint: 209.85.220.171 mail-qk0-f171.google.com Received: from [209.85.220.171] ([209.85.220.171:32946] helo=mail-qk0-f171.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E8/E2-52781-81BD0975 for ; Thu, 21 Jul 2016 10:24:25 -0400 Received: by mail-qk0-f171.google.com with SMTP id p74so75029163qka.0 for ; Thu, 21 Jul 2016 07:24:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9eqYQUahkeWTHISECmljoxKduOTxwmjdshP2zKL7h98=; b=FJfmxPpbYgbGxTu6jIG950Q6e/BpwOIl1GNRCq0Rs26xA5UCoKFRILtOwHXfaL5pn/ 3EheQKB/j5yDwKv6qmQMp3uePqhkH58pQNFpENQyR/D5cx0bHcZRLjH96HFPk/oiIf1I CHeCNP2bERD2TGefp1UZT28bOl8MjdQZT/n2mS7SxLMVOUZ1QPUqSN8IUPoXa5Mj0U0E IXhVliF/9O9ZWsi8K3nCJbH7KdmbpJk10BwVMr9wuW9E5ICkWwo2C/kbUJI1wyvjOPP3 c/wss8d1JBMdG0YmRsKyUV8SFSkgVRxFifHv5oFQX77ZfZrKRsOMYRxRF6MfTJ4nDyLD QbNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9eqYQUahkeWTHISECmljoxKduOTxwmjdshP2zKL7h98=; b=XJKEZ3ee1e2A1LSMmbzJdn516hd8STzInNPJZNgmabiHQVqtq5KexiU3u6ARbEFa/o vHDkwvCDJnEp0rWN0OluncyQVH2nKrJKzvAmRitXBfBclnv13Rpz7MuRdEqvvAPkIOoX sSObKLJSxq+6uYKMGD6jj2IXq4AqFZIYcQq8KvK96S4l0W0D1OF8vHjPG/V7GNcLKPJc Tnd6g3G4aJ8TH9N92sRN7ffszOUEiOl+YXkGbk1Xh7EEYf6w2kC5EMYUkIUXxYThyuU/ yAu2kuu6goHZUjTaHzWQwPNVqQgKt3eVS/xFD4m4az5PgD0EXkGdna46cSRqqmlvwL0d qBZQ== X-Gm-Message-State: ALyK8tLGHZX5r4kLhtx06ZffCraue+b6RZez1CWnT66/zs2SJ251PQY1Nq0psHuuEbYJpHYxkBh07J1xC8S3OQ== X-Received: by 10.55.129.71 with SMTP id c68mr66721873qkd.174.1469111061986; Thu, 21 Jul 2016 07:24:21 -0700 (PDT) MIME-Version: 1.0 Received: by 10.55.189.135 with HTTP; Thu, 21 Jul 2016 07:24:21 -0700 (PDT) In-Reply-To: <6cffa6e9-b3b7-cedf-ccb7-cb342c768a4f@rochette.cc> References: <6cffa6e9-b3b7-cedf-ccb7-cb342c768a4f@rochette.cc> Date: Thu, 21 Jul 2016 19:24:21 +0500 Message-ID: To: Mathieu Rochette Cc: PHP Internals Content-Type: multipart/alternative; boundary=94eb2c06266afc781705382612f9 Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping From: michael.vostrikov@gmail.com (Michael Vostrikov) --94eb2c06266afc781705382612f9 Content-Type: text/plain; charset=UTF-8 > I suppose you mean that is the unsafe variant. > How does this rfc makes it not "works good" ? people will still have to think escaping their data. It suggests a way when safe variant is as easy as unsafe, without any additional code. Of course, unsafe variant cannot be removed because of backward compatibility. But in new code it will not be used so often as now, it will be used maybe in 1-2% cases, and old code gradually can be rewritten with new operator. > and what it might look like with function autoloading: > that's why people here are talking about function autoloading As I understand, function autoloading cannot load $this->html(). In this example it can load MyClass::html() or MyNamespace\html(), but not $object->html(). And it does not solve the problem with repeating the same action, and the problem with security when this action will be missed. This is not a problem to create one global function for escaping. The problem is to write it everywhere. > htmlspecialchars + json_encode is the correct way to encode a javascript string inside an html page Yes, it is written there exactly as you said: alert(); Initially my goal was just an operator for HTML escaping. I tried to show that this is frequently used context. I added a work with other contexts because, as I understood, their support is required for such an operator. If it will be just for HTML escaping, there will not be a problem with global state. Also I think, it is possible to remove a registry and PHPEscaper class and make only set_escape_hanlder() and restore_escape_handler(), exactly as set_error_handler(). Will this be more appropriate variant? This can be used for [$this, 'escape'] or ['MyEscaper', 'escape'] callables. I just wanted to create a tool ready for use. > I was think about something like that instead: > One of main reasons for creating this RFC is to have default HTML escaping. Copy-paste is a wrong approach. Without automatic escaping there is no reason to change the language syntax. --94eb2c06266afc781705382612f9--