Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94622 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 31804 invoked from network); 21 Jul 2016 22:44:56 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Jul 2016 22:44:56 -0000 Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.44 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 74.125.82.44 mail-wm0-f44.google.com Received: from [74.125.82.44] ([74.125.82.44:35848] helo=mail-wm0-f44.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 60/BA-52781-76051975 for ; Thu, 21 Jul 2016 18:44:55 -0400 Received: by mail-wm0-f44.google.com with SMTP id q128so36892021wma.1 for ; Thu, 21 Jul 2016 15:44:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=W1FzPeIXy65FzKOXPv9ljg+wbKUkdHYHTNNi5oFNlCs=; b=UrZpgW4aldI+foUFcJ0o/Xr5zs7HceMK2Rz6o6oTffGbgxU73Jr5izIGZsN7z9E+9B 895bJLPtiGEf18JItqYWQw8Q+BEwaFKOoCWFXyOeLVCRKVGaA2IJGRfOic15G5D55VFr xJYAcmnrCV7E4IbCKLszjJnnIy6a88xC0nQeaNunN45V/8YS4IsLTdjwHk+2b1n+yORC 7p+r4dtCBec0JKXQADr8J32+zhNfjO6TVPU5CP5hlD4hSdwKIsgwH6SPrZMNRBC43pn/ qRIxSk7YTH1/NKyzTRkyUaID1kebmYdsIK71a//a8djI1cIE7D08H8iblFD4Z/paxL6Y MSlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=W1FzPeIXy65FzKOXPv9ljg+wbKUkdHYHTNNi5oFNlCs=; b=djgSLA/IYjMjYf6JVYUTw7JkrvfoKh1BekauT3+rjuSYAKbFFA7zHn31I/+UGXmSIS e7sjsdi0hbC0DUU6rccwOuogcB7jbtLwqZ8KKoBeC52X9HmG42okptJrP0fDPegCT+V+ 2lIggLOeFO/MeVKxVLlENhm9u1b3oe1npHAHauT3BDzMSE9NDoWPglibrGkKPJrc+I2r PPF2WtdMGLXPur8iu3Y7QcvXwAzCLozESTFYaW/SOsaRkDE/ieCfA1tVaejJjuTt5R9v 7sPVJkWMYInQf+onKj++EZCQWPxDk9U2fK+zE14A7OeT0XygGcssrebsl3ajPWXRn/AR TiBg== X-Gm-Message-State: AEkoouuotDaYeHMeKax2SuE/wyAHKL4TqtyByTTG1jWNfgqMTMsdxTxvcupvT1nPH53NLA== X-Received: by 10.28.96.11 with SMTP id u11mr1026299wmb.5.1469141091953; Thu, 21 Jul 2016 15:44:51 -0700 (PDT) Received: from [192.168.1.5] ([95.148.161.240]) by smtp.googlemail.com with ESMTPSA id v189sm7805568wmv.12.2016.07.21.15.44.51 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Jul 2016 15:44:51 -0700 (PDT) To: internals@lists.php.net References: Message-ID: <8a39df34-4a23-c496-15f6-20a62d27fc59@gmail.com> Date: Thu, 21 Jul 2016 23:44:40 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping From: rowan.collins@gmail.com (Rowan Collins) On 16/07/2016 16:33, Michael Vostrikov wrote: > Operator has the following form: > > > > [...] > Operator is compiled into the following AST: > > echo PHPEscaper::escape(first_argument, second_argument); > Hi Michael, I'm coming around to the need for (or at least value of) this operator, but I'm not keen on the details of the current draft. For this operator to meet its stated aims it needs to be simple, obvious, and easier to get right than wrong; and the current proposal feels like it fails on all counts. - The trick with the magic class name and namespace aliasing is neat, but feels likely to confuse a lot of users. - The basic syntax seems OK, but sticking the escaping types after the output makes it hard to spot what's going on with anything other than a simple variable. e.g. renderView($thing->getViewName(), 'html'), 'js' ?> - Because it's not obviously part of the oops', 'html' ?> Operators don't normally have a list of arguments. - The fact that the escape filter is a string, or any kind of expression, compounds this. What happens if you mistype the argument? Or with the current proposal's use of '|', what if you get that syntax wrong? Now, I'm not saying this just to demolish the current proposal, but if the idea is to make escaping second nature, I think the syntax needs to be much more obvious, and much more "special". (If we make it too flexible, we're basically inventing a new templating language, and we're not actually short of those.) I quite like Mathieu's suggestion, but not the free-form callable part (if you're mentioning the whole function name, you can just call it already). How about using a compound like (defaulting to HTML escape) (JS escape only; not sure if this should encode as JSON, or just a JS safe string; maybe as well / instead...) (JS escape and then HTML escape) The common escape types should be built in, with maybe a function to override them and register additional types, similar to stream_wrapper_register. The biggest use case for this is people who *aren't* using a framework, which would have either a templating engine or a bunch of escaping helpers already, so customising the definitions is going to be the exception, not the rule. The biggest barrier, though, remains that will still work, and will still be used in examples people see, so people will still be in the habit of using the unsafe operator. It's pretty marginal whether remembering to reach for is actually any easier than remembering to reach for Regards, -- Rowan Collins [IMSoP]