Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94625
Return-Path: <michael.vostrikov@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66096 invoked from network); 22 Jul 2016 07:31:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Jul 2016 07:31:06 -0000
Authentication-Results: pb1.pair.com smtp.mail=michael.vostrikov@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=michael.vostrikov@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.177 as permitted sender)
X-PHP-List-Original-Sender: michael.vostrikov@gmail.com
X-Host-Fingerprint: 209.85.220.177 mail-qk0-f177.google.com  
Received: from [209.85.220.177] ([209.85.220.177:34169] helo=mail-qk0-f177.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EC/9F-52781-ABBC1975 for <internals@lists.php.net>; Fri, 22 Jul 2016 03:31:06 -0400
Received: by mail-qk0-f177.google.com with SMTP id o67so94563417qke.1
        for <internals@lists.php.net>; Fri, 22 Jul 2016 00:31:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:cc;
        bh=QoGL4KyvO7EGELa3VqWxxx4nRv1Mz0JZyWppRzoOGFg=;
        b=Gsnl4JpvKK1Gqjj9aYcX/+yJz1xIJ3S5sFl1DC8eQhD42/oi6oVji1wM7wjAXRzHRg
         lApA8ijS79RTRT5sP5mkwS+2UESVZ1SCvTw3lajwuWOnm0RY37RAlnWJGLqrxzFs8D+5
         99SofpCVjNMXBJLbLiLd4B6JMQHSHtpmnVaZoOAgKGFECH5HspPiiNUck15McjzJVSCu
         QeHFGh3BUCibJf99HU9EgyERRkSSG8xdFmxIdIkwhM+TT2vJy9rWnf1cq2VHnMMux0N2
         OP5lSgWaPX53qOZ27fZ/uXeetNhiRkp59SQoDv75+j8OFsFmVf3Iq2/xUM3Tj4GqijxF
         wwfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:cc;
        bh=QoGL4KyvO7EGELa3VqWxxx4nRv1Mz0JZyWppRzoOGFg=;
        b=IJkghnB0U7/3EibQyrLDXpT09jdrEWEgz6qoro/n7r+aZSTLj2RuawKUqukFrSkxHv
         QpzcUuqePznjQlmRp9/KHA9Gw5hsaSchSs3MMU+VFtWiU4zNP3gHTz4E1BrHupipgukR
         VdcIecqodZ4DxYmulCZVfoDM2K103/QpIEWlHmJx8M/MJUilDPicCSdbWKd5uliI5NKW
         4AYEanEOyfma9LM/6VDrDn3Y64N5ZhD5Q4DrDzVsXEYZgAT5rKMBqDtNzlGkdq+Mmpsb
         NkjT/gm6OK33vFAO8789p/0lNRy7pwKKdv/CfIyXeNeemGwrO02yxcyPNRTZ+6TlETe2
         8wdQ==
X-Gm-Message-State: AEkoouvYUZsvSYxaeQueg8KXDcNho5X/5cZs+iRs56AwWaGjN/pX/dNEyDAlyGybANT6G60a46qTPNpr0l8x2A==
X-Received: by 10.55.96.133 with SMTP id u127mr2993579qkb.55.1469172663706;
 Fri, 22 Jul 2016 00:31:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.189.135 with HTTP; Fri, 22 Jul 2016 00:31:02 -0700 (PDT)
In-Reply-To: <8a39df34-4a23-c496-15f6-20a62d27fc59@gmail.com>
References: <CAEDdnaWVYbh=t1-bvDh9fixCoC7Be4asoEus=dRhGggx_9VLNg@mail.gmail.com>
 <8a39df34-4a23-c496-15f6-20a62d27fc59@gmail.com>
Date: Fri, 22 Jul 2016 12:31:02 +0500
Message-ID: <CAEDdnaWwUUVV6q1Sh+pXNQEAENXHHbJ=ZPaq4otnpnFPwVD-5A@mail.gmail.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=94eb2c0566cebc02b50538346a26
Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping
From: michael.vostrikov@gmail.com (Michael Vostrikov)

--94eb2c0566cebc02b50538346a26
Content-Type: text/plain; charset=UTF-8

> sticking the escaping types after the output makes it hard to spot what's
going on with anything other than a simple variable. e.g. <?*
$this->renderView($thing->getViewName(), 'html'), 'js' ?>

In Twig escapers and filters are also written after a variable, and this is
not confusing for many users.
{{ render(thing.viewName, 'html') | escape('js') | somefilter }}


> Because it's not obviously part of the <?* operator, someone might think
the escape parameter can be used elsewhere: <?php echo
'<blink>oops</blink>', 'html' ?> Operators don't normally have a list of
arguments.

Just a default variable, nothing complicated.
If they write echo like this, they will notice 'oopshtml' and then correct
this contstruction.
Binary operators have 2 arguments (add($a, $b), escape($string, $context)),
'for' has 3 arguments.
And this is the reason why I want it to be a call of function with constant
name. This is very clear - <?* $str, $context ?> turns into
some_escape_function($str, $context).


> What happens if you mistype the argument? <?* $foo, 'hmtl' ?> Or with the
current proposal's use of '|', what if you get that syntax wrong? <?* $foo,
'html || js' *?> <?* $foo, 'html, js' ?>

Exception: Unknown context 'hmtl'.
Exception: Unknown context ''.
Exception: Unknown context 'html, js'.

If the handlers for these contexts are not set, of course.


> if you're mentioning the whole function name, you can just call it already
> <?*html= $foo ?>
Do you mean the function autoloading? What is the difference with not-fq
name 'PHPEscaper' then?) And how to use an escaper like [$this, 'html'] ?


> JS escape only; not sure if this should encode as JSON, or just a JS safe
string; maybe <?*json= $foo ?> as well / instead...
This looks unclear for me - why I cannot use json for strings and what if
my variable sometimes is an array, sometimes a string?


> The biggest use case for this is people who *aren't* using a framework
... so customising the definitions is going to be the exception, not the
rule
They can setup their escapers once, this is not a problem, but the problem
is e.g. default flags for html escaping.
Customization is required.


> If we make it too flexible, we're basically inventing a new templating
language
We cannot forbid a customization, so any custom escaper is a kind of new
templating language.
The operator must be simple for use. If someone wants to create new
templating language in his application, let he create. It will be in
application, not in PHP.


> The trick with the magic class name and namespace aliasing is neat, but
feels likely to confuse a lot of users

Yes, I have to agree. Maybe more better way is to make it similar to
set_error_handler() - not for context as it is in RFC, but for 'escape'
callable.

<?php

    // somewhere in application

    set_escape_handler(function($string, $context = 'html'){
        ...
    });

    // or

    set_escape_handler([$this, 'escape']);
?>

<?* $myValue, $myContext ?>


Libraries can save and restore original handler when rendering their
templates. If the library meet unknown context during work, it can call
original handler from inside its handler. Frameworks and CMSs can provide
an internal syntax for registering custom handlers from modules and
libraries.
The reason for creating not-fq name 'PHPEscaper' was a possiblity to use
custom handler in some library, without taking care about application
handler. But maybe this will bring more problems than it solves...

We cannot use a stack like spl_autoload, because escaping function can
return only a string, not true or false.
There can be used a special variable "html($str, $context, &$handled)",
return an array [$str, $handled], or throwing and catching exceptions that
can reduce performance. All variants look as inappropriate.

So, it seems, the easiest way is with set_escape_handler().

--94eb2c0566cebc02b50538346a26--