Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94652
Return-Path: <dmgx.michael@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 26836 invoked from network); 23 Jul 2016 19:23:43 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Jul 2016 19:23:43 -0000
Authentication-Results: pb1.pair.com smtp.mail=dmgx.michael@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=dmgx.michael@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.48 as permitted sender)
X-PHP-List-Original-Sender: dmgx.michael@gmail.com
X-Host-Fingerprint: 209.85.218.48 mail-oi0-f48.google.com  
Received: from [209.85.218.48] ([209.85.218.48:34688] helo=mail-oi0-f48.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8D/23-05797-E34C3975 for <internals@lists.php.net>; Sat, 23 Jul 2016 15:23:42 -0400
Received: by mail-oi0-f48.google.com with SMTP id l65so204876846oib.1
        for <internals@lists.php.net>; Sat, 23 Jul 2016 12:23:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to;
        bh=tlW8MclZjzZJesLRWBucXoKVIQAlxhv+T+gmoHXM5go=;
        b=HBSEl+SktEVv1Nl+cDzXrMTP5ZwunEySm/U3sFnc/pjhumNvXNSE5PChES2HuLzHk4
         ItZnkgIaJeCGXhIMdcfarS3YjNI/Ymaqe8DJ7oPBJUyn57N7PNWNnK7GJCG7Zdc+Q6Iq
         2o5RBG/caeYUaJ3FgF4udLfNYqfCn4bmSENA9X2iwVcM4qbEtPR3FHJqvnm2Kaghixd8
         oN1glT3LjXEJxFe+wTlYNTFGIxw0F4EEh9uvmQPvjJRZu7Kaww1lmRcjC9tgqUWZicnu
         k5I7aID5OLRNxkzrlKEBvKp2NFHP/gkdATHDGCDYy21p/WIT1YUGI9F01fsGrOUNaNiY
         JK7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to;
        bh=tlW8MclZjzZJesLRWBucXoKVIQAlxhv+T+gmoHXM5go=;
        b=IhFXoLkXUtL4LbmlutVqoDb7MrdaqeNkvN7srK5dic8zP2RIXLntBukJgWFn0cjsAk
         phk8E0wL5TnYlI4oF9tN3+jVQqvRGyV3pRwWtZBkbTnhDwYrW/xFpfV0kt0q3fqdDdsR
         nUsH0yhMP40SQmH1Uwt2qHhNGswoN9cxnae97Bzi7kCzeYu0PMXzjiSy/XJt692vfXTT
         TW+vBKwo96XN/BUlWQP0vyupNRdW/kisPPWFNkD/oMRpnhB3DLdxt1gpttNJPHYJV30z
         +CNK4g6CNXiZYJpSAlnKUqOige68foY+bVSDzfvP5wAfijj20r6ypVOttFuxNBHWC1jc
         CcPw==
X-Gm-Message-State: AEkoousHlggdY1UD0pv/kzrSQxa4UfibGsFrUeByJDy55delYJVeFu1e19gb0OnnVqo59gLviTfqwcvI+JGVZg==
X-Received: by 10.157.2.99 with SMTP id 90mr6029358otb.71.1469301818791; Sat,
 23 Jul 2016 12:23:38 -0700 (PDT)
MIME-Version: 1.0
Sender: dmgx.michael@gmail.com
Received: by 10.182.221.233 with HTTP; Sat, 23 Jul 2016 12:23:37 -0700 (PDT)
In-Reply-To: <933449d0-90c2-0d7a-cb80-a171289d8286@texthtml.net>
References: <CAEDdnaWVYbh=t1-bvDh9fixCoC7Be4asoEus=dRhGggx_9VLNg@mail.gmail.com>
 <8a39df34-4a23-c496-15f6-20a62d27fc59@gmail.com> <CAEDdnaWwUUVV6q1Sh+pXNQEAENXHHbJ=ZPaq4otnpnFPwVD-5A@mail.gmail.com>
 <CAObuZdvy9F3sLu=MArNEvh3ZxFkZ=byb7UbH0Gaw2sx=C0QRzw@mail.gmail.com>
 <CAEDdnaV8Qaoib6=v+NBCYYymtQQgyr28qryJ1dBHhVsXqWu5kA@mail.gmail.com>
 <4920f683-9a4d-7153-b157-a7d7ce8cbfe7@gmail.com> <933449d0-90c2-0d7a-cb80-a171289d8286@texthtml.net>
Date: Sat, 23 Jul 2016 15:23:37 -0400
X-Google-Sender-Auth: NNCWug34689QScyiuAENuMYcqBE
Message-ID: <CAGovj_PiUjJmAncZjrtTiJmBTmuwA1MgfpjwpkKWdp_NHPekpw@mail.gmail.com>
To: PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=94eb2c04fafefa1c190538527c40
Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping
From: tendoaki@gmail.com (Michael Morris)

--94eb2c04fafefa1c190538527c40
Content-Type: text/plain; charset=UTF-8

Not replying to anyone in particular or quoting anything so I'll start
afresh. This is with the topic though, but I'm going to step outside of the
box a bit.

PHP was a template engine at inception. It still is to some degree - hence
braceless syntax. The argument can be made that while the language has
evolved the template engine capabilities of PHP are severely lagging. This
is why smarty and twig exist - and something has gone awry when people are
writing template engines inside of a template engine.

There exists output that needs to be escaped, usually through
htmlentities(). Having PHP auto escape the content is often desirable. In a
given file though it is very unlikely that more than one filter technique.
So instead of a new operator, why not use the existing declare mechanism to
declare a filter?

declare('filter=htmlentities');

With this on the function set for filter will be invoked on the output of
any echo statement or the shortcode for it.  When raw output is still
needed allow print() to output the content bypassing any declared filters
for the file.

This alone would help a great deal, but in addition to this I think having
contextual require statements could also be useful. The most obvious
example:

html_require 'path/to/template/file.phtml';

Contextual file import also opens to the door to pull in code files that
aren't supposed to be echoing anything out, such as class files in most
frameworks. Consider this possiblity

php_require 'path/to/my/classfile.php';

This statement would throw a parse error if there are any <?php ?> or <?=
?> tags at all except a <?php at the very beginning of the file (allowed so
that users of older IDE's can work with the file and have color context
editing intact).  This statement has the potential to allow the engine to
build these files a bit faster since inline_html tokens wouldn't need to be
tracked. Also, there is a security upside I think by prohibiting files that
shouldn't be outputting anything from doing so.

In closing, I see the need and do think it needs to be filled, but I'm not
sure a new operator with multiple arguments is the way to go.

--94eb2c04fafefa1c190538527c40--