Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94649
Return-Path: <rowan.collins@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 11886 invoked from network); 23 Jul 2016 15:23:56 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Jul 2016 15:23:56 -0000
Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.49 as permitted sender)
X-PHP-List-Original-Sender: rowan.collins@gmail.com
X-Host-Fingerprint: 74.125.82.49 mail-wm0-f49.google.com  
Received: from [74.125.82.49] ([74.125.82.49:35857] helo=mail-wm0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 7B/31-05797-C0C83975 for <internals@lists.php.net>; Sat, 23 Jul 2016 11:23:56 -0400
Received: by mail-wm0-f49.google.com with SMTP id q128so87733180wma.1
        for <internals@lists.php.net>; Sat, 23 Jul 2016 08:23:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=from:subject:to:references:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=gGxS6wPjlzmtSfpy1cMEnFi3SHLlgTMadXA6WixjdkY=;
        b=XqfTl3DV4hLMKUEA5mdVmt8VmGAfWGsByAgZEnGm1lIU7ARfjcZsRVQH7c6L/ue6SS
         ZqC4/GKtu4a7kVmhpQEfHYcpWUfGO7RfsEspsUt0qEYnM6ZLRZgWS5r0osTRX1TJrLsm
         aKLfle2JX6qD8TEqjNyG/mLj5MERxdCIVk3p/5Q8owr5xcE2siexSIQH5WEZLoxiDwov
         x1l1nGsGN9edSyYKjG7tClfVmcM6+4KSIwUUBcZOSHp8fLG0YqFDWnzYzZZyXFXh73C4
         r4BpYM/1jSbUyyOJe7KCV/wFNtPP+0nbxk1J9UsOQiIzBEx7YUsuF6crZj4FBHhIBtlj
         jpFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:from:subject:to:references:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=gGxS6wPjlzmtSfpy1cMEnFi3SHLlgTMadXA6WixjdkY=;
        b=NIkMtCBc/19xnzMiXrgdipQ4N9TBOmEMaO8oS8nPoPGoIngNRTA2pIZaO3AZvZ0o8x
         vHzxPkMdoqe3djwkAcLuf+MtW/UQCxkFtgvGoMvD7ZSPbUeLgJya+IObhi0NubjmxlpT
         GtWx0oKUPWhPF7z7wVkVmCOUNIY8Fec03wANqvENK1RLhBItjI05qG361cEP7JMyRXcb
         ggLmnreHyu9q80+D3iDBTJxHzJ0UzGB/7Hzf3c1hWL6A73o6ZViZq6VgiuWR/25qbHFT
         prjZP8LcCL0IGR5LPO5mARu9VqJWyjrogcfdrcPiKIir2eYBn6Xj2dTU8sCq754WkV80
         Kw6g==
X-Gm-Message-State: AEkoouupMeYUlK1XlMiFTsauK7kYIkpA0ojpJhzAveRsnd/B2xiq1P6djiL8UyBGf3x17g==
X-Received: by 10.28.50.3 with SMTP id y3mr4207917wmy.23.1469287433264;
        Sat, 23 Jul 2016 08:23:53 -0700 (PDT)
Received: from [192.168.1.5] ([95.148.161.240])
        by smtp.googlemail.com with ESMTPSA id e65sm18021431wmg.3.2016.07.23.08.23.52
        for <internals@lists.php.net>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 23 Jul 2016 08:23:52 -0700 (PDT)
To: internals@lists.php.net
References: <CAEDdnaWVYbh=t1-bvDh9fixCoC7Be4asoEus=dRhGggx_9VLNg@mail.gmail.com>
 <8a39df34-4a23-c496-15f6-20a62d27fc59@gmail.com>
 <CAEDdnaWwUUVV6q1Sh+pXNQEAENXHHbJ=ZPaq4otnpnFPwVD-5A@mail.gmail.com>
 <CAObuZdvy9F3sLu=MArNEvh3ZxFkZ=byb7UbH0Gaw2sx=C0QRzw@mail.gmail.com>
 <CAEDdnaV8Qaoib6=v+NBCYYymtQQgyr28qryJ1dBHhVsXqWu5kA@mail.gmail.com>
Message-ID: <4920f683-9a4d-7153-b157-a7d7ce8cbfe7@gmail.com>
Date: Sat, 23 Jul 2016 16:23:52 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CAEDdnaV8Qaoib6=v+NBCYYymtQQgyr28qryJ1dBHhVsXqWu5kA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping
From: rowan.collins@gmail.com (Rowan Collins)

On 22/07/2016 15:54, Michael Vostrikov wrote:
>> The more you compare it to a function call, the less I understand how it
> gains over just defining a function e() and writing <?= e( $foo, 'html') ?>
>> > I might as well just write "function e($string, $mode='html') { .... }"
>> > they will already have a method of doing this
> Yes, and they have to write a call of it everywhere. New operator can
> remove it.

This is the part I don't get. How does "using an operator everywhere" 
remove the effort of "using a function everywhere"? It's the same effort 
in both cases.


> The goal is to remove copy-paste for HTML escaping (so it will become
> automatic)
   > ...
   > the problem is to copy-paste it in 90% places of output data.

If somebody can't type "e(" and ") without copying and pasting, then 
they're going to have a hard time writing any meaningful code.


>> On the other hand, if I have an array and ask for it to be HTML-escaped,
> nothing iterates the array for me, it will just print "Array". So if I ask
> for it to be "JS-escaped", why should it magically produce a JSON array?
> Yes, I agree, I methioned this in RFC - JSON is not escaping, it is
> encoding in special notation.
> This is one of the reasons why I was disagreed with the need to support
> multiple contexts.
> So, the question is up again - do we really need multiple contexts?

The reason multiple contexts are needed, in my opinion, is the false 
sense of security of saying "we have built-in escaping", but actually 
meaning "we have built-in HTML escaping". If the idea of this feature is 
to make good escaping habits second-nature to users who don't have a 
templating system, then there's a responsibility to remind them that not 
all contexts are created equal.

As for what "JS-escaped" should mean, why not just backslash-escape 
quote marks, like you'd ampersand escape double quotes in HTML?

<?php $foo = "World's End"; ?>
var foo='<?*js= $foo ?>';

var foo='World\'s End';


> Yes, PHPEscaper from RFC works that way - PHPEscaper::registerHandler().
> But it think runtime definition with second variable is more flexible way.
> There are external contexts (HTML is one of) and internal task-dependent
> contexts which can be combined with HTML. We cannot know all possible tasks.
> And we come again to pipe operator and twig-like syntax.

More flexible to what end? Why do I need to be able to dynamically 
define arbitrarily complex expressions as the filter name?

Note that what is defined in the RFC currently is *not* similar to 
Twig/Smarty, because it views the parsing of the | as *internal* to the 
callback, not part of the escaping syntax itself. It allows you to 
define an escape callback that instead uses "," as the separator, and I 
don't see why that would ever be necessary.

If you have a new context, give it a name, and register it. As I say, 
this is how streams work - you don't register a callback that filters 
all filepath strings, you register a prefix for your particular stream type.


Again, the stated aim of this RFC is to make correct escaping easier 
than incorrect escaping. That means providing really obvious syntax, out 
of the box, for doing the right thing.

Regards,
-- 
Rowan Collins
[IMSoP]