Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94631
Return-Path: <michael.vostrikov@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 95710 invoked from network); 22 Jul 2016 14:54:49 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Jul 2016 14:54:49 -0000
Authentication-Results: pb1.pair.com smtp.mail=michael.vostrikov@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=michael.vostrikov@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.173 as permitted sender)
X-PHP-List-Original-Sender: michael.vostrikov@gmail.com
X-Host-Fingerprint: 209.85.216.173 mail-qt0-f173.google.com  
Received: from [209.85.216.173] ([209.85.216.173:34630] helo=mail-qt0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C2/D0-24343-9B332975 for <internals@lists.php.net>; Fri, 22 Jul 2016 10:54:49 -0400
Received: by mail-qt0-f173.google.com with SMTP id u25so62938092qtb.1
        for <internals@lists.php.net>; Fri, 22 Jul 2016 07:54:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:cc;
        bh=YdZMG9uD5KV1pmehH45pRtC3Heyk9Eh9gTRa+FG29qg=;
        b=YzwqoPmZ/TtyftxYojEW6sYyI6vItmWhclcY6g+Xo7rxCqIloZN4wTh9uAHuldFPOy
         +LJPK8FQ4ltGBf/BZJ5X3DDS9SbWYF2Ky74KMJ1UUqmKqdmLcwG+PAZYnt/p7Rae4pZ1
         eYEZ1FUp8GEsQJu+nXY5q31GxHJZheghsp/3CFj6AXsp3shq7ZkiJyrDs9E+7vaLehki
         j62rKGRpbH6njNkPbYOBpuqtXbSKjnLvW1UzBuIU8kYOUUbobQYxU+vV+A1it6cJDa5T
         NOv41OASFL2vakjjBHK/iV4mKTxC263xL66N65qP1g5OKqVd20DbtcsRWXWi7DC3bRqU
         kCyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:cc;
        bh=YdZMG9uD5KV1pmehH45pRtC3Heyk9Eh9gTRa+FG29qg=;
        b=I36cKbRNaAKLlPdy3opyeN4kbBxBK5GgUplXzPqRt0yXuiqYkeKT7VCLo1eTUeXE4i
         UHJ1qHF1s5bFpNNAF4hI4PgfazzrGNTmv0OVlvy+0OWP2wXhR9FYuHY8qL0IsxRj2PT/
         xG4MTu6u3brzlnANhqaA3ODybve3v8Hunt7AmSwT5AhVl7m26Mk8dFNM94KBeA1feU+q
         4DYkh1SlkqRU9EyKTPabJzI6onpVcpLWLkQLIGk9rMpXz9l7928aDlCcH4v59u3hUZ7y
         CJNUUz2e+nnpgN+7nbknhBTHOJSoGcK1rkPThGrbcRHd9bjyFu28LuLW8nfgo7ehY3OP
         UfdQ==
X-Gm-Message-State: AEkoouuxX3B6PONG2pdi6hlL1tDuj9j2WHQ2p9AS9MThC6zPy3kbw7WK8QrRiELIspep25g829vm6xR+7IYFGg==
X-Received: by 10.237.59.161 with SMTP id r30mr6513676qte.22.1469199286406;
 Fri, 22 Jul 2016 07:54:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.189.135 with HTTP; Fri, 22 Jul 2016 07:54:45 -0700 (PDT)
In-Reply-To: <CAObuZdvy9F3sLu=MArNEvh3ZxFkZ=byb7UbH0Gaw2sx=C0QRzw@mail.gmail.com>
References: <CAEDdnaWVYbh=t1-bvDh9fixCoC7Be4asoEus=dRhGggx_9VLNg@mail.gmail.com>
 <8a39df34-4a23-c496-15f6-20a62d27fc59@gmail.com> <CAEDdnaWwUUVV6q1Sh+pXNQEAENXHHbJ=ZPaq4otnpnFPwVD-5A@mail.gmail.com>
 <CAObuZdvy9F3sLu=MArNEvh3ZxFkZ=byb7UbH0Gaw2sx=C0QRzw@mail.gmail.com>
Date: Fri, 22 Jul 2016 19:54:45 +0500
Message-ID: <CAEDdnaV8Qaoib6=v+NBCYYymtQQgyr28qryJ1dBHhVsXqWu5kA@mail.gmail.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=94eb2c1922a692148805383a9d73
Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping
From: michael.vostrikov@gmail.com (Michael Vostrikov)

--94eb2c1922a692148805383a9d73
Content-Type: text/plain; charset=UTF-8

> The more you compare it to a function call, the less I understand how it
gains over just defining a function e() and writing <?= e( $foo, 'html') ?>
> I might as well just write "function e($string, $mode='html') { .... }"
> they will already have a method of doing this
Yes, and they have to write a call of it everywhere. New operator can
remove it.
I told about it in previous messages, when explained why function
autoloading is another problem - this is not a problem to create a
function, the problem is to copy-paste it in 90% places of output data.

The goal is to remove copy-paste for HTML escaping (so it will become
automatic) and possible XSS when this copy-paste is missed. If we can get a
work with other contexts, it will be just a good addition.


> If you can pass a variable as the escaping method
Second variable is not escaping method. It is a context. Escaping function
can handle this context as it wants.


> On the other hand, if I have an array and ask for it to be HTML-escaped,
nothing iterates the array for me, it will just print "Array". So if I ask
for it to be "JS-escaped", why should it magically produce a JSON array?
Yes, I agree, I methioned this in RFC - JSON is not escaping, it is
encoding in special notation.
This is one of the reasons why I was disagreed with the need to support
multiple contexts.
So, the question is up again - do we really need multiple contexts?


> Again, focusing on simplicity:
> <?php
> set_escape_handler('html', 'htmlspecialchars');
> set_escape_handler('json', 'json_encode');
> ?>
> <?*html*json= $foo ?>
> becomes:
> <?php echo htmlspecialchars(json_encode($foo)); ?>

Yes, PHPEscaper from RFC works that way - PHPEscaper::registerHandler().
But it think runtime definition with second variable is more flexible way.
There are external contexts (HTML is one of) and internal task-dependent
contexts which can be combined with HTML. We cannot know all possible tasks.
And we come again to pipe operator and twig-like syntax.



> Which begs the question, if you can verify that the call to
set_escape_handler comes before the template, then can you also be sure
that a function definition will come before it, and just call a function
directly?
Sorry, not sure if I understand your question. What do you mean in 'call a
function directly'?
If you mean <?= $this->escape($myValue, $myContext) ?> then the goal is to
remove this copy-paste.

--94eb2c1922a692148805383a9d73--