Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94673 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 90438 invoked from network); 24 Jul 2016 09:48:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Jul 2016 09:48:45 -0000 Authentication-Results: pb1.pair.com smtp.mail=michael.vostrikov@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=michael.vostrikov@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.174 as permitted sender) X-PHP-List-Original-Sender: michael.vostrikov@gmail.com X-Host-Fingerprint: 209.85.220.174 mail-qk0-f174.google.com Received: from [209.85.220.174] ([209.85.220.174:34851] helo=mail-qk0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B2/FC-05797-BFE84975 for ; Sun, 24 Jul 2016 05:48:44 -0400 Received: by mail-qk0-f174.google.com with SMTP id s63so134744978qkb.2 for ; Sun, 24 Jul 2016 02:48:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=LYLs8vKYSuaSPgLwC9ZKDU2VvCrzKKJSbQ3MOPImqVA=; b=DAK9pEpBLVhm8OJSu5gu4qYkhun6o5jd9GByy6D2UCLF7iyhmCYVBbmaN33c70vuH1 2mtwueZAwgm416Mw2C/rG8r+WZzFq9G2f1+Dw+WNwvYRZOu/EcoZajOLWzPniB4SMBu5 L86mLqNNWq9cH+lkFepjCswMFNU8hYSp3P79s3ZkB0WxXV1Bf7d8z8sn5nZvnaCs8PCZ xIMfHbbTMgeL3l9P9aKMfez6Th27MQjrxygi+Y1gAUYoVNhbRbV5IgbzuPf1IWhGEQG7 EPBZro0p7ZiNudHoAU2cJmfqycv04nOiJR0dYl6TjMoEfONZZufSlQl3lV7Tvc8YNNIj wy6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=LYLs8vKYSuaSPgLwC9ZKDU2VvCrzKKJSbQ3MOPImqVA=; b=bbnLInytk2jEqwpoNNetCU+lZoWjdgiBVTeN3vfVDJRig2+B0YQSTTud6X1zyur8nv WyryGCm0NzRhuIPatfEqNX/HANEmxR1K0do6Kl4uQL1tWUUnN/1ErhfkI32JvS6+rg3l zo4xZJ4VKIGLmy2kiY02Ysl5VPq45F7mbLEDEuodR7AP8OQE6McPS5WjBMrUlJcmDgtK tM+ec0404rd2taB4oOATP2sestRW/HIA7cH1YsT9dlFFK0ufnJLnzJ17KE0Paq51aUTr ZxERkBzE5bAUF7M4fZij7yfor0eKXnsUV3RwXV/Dr/6Iu+WaNHuLjsywcjZltzJNNs4C 8hew== X-Gm-Message-State: AEkooutnnts+XJ7JdYt8SFWsthXKl7Tgf32RudyTN6xlEH9XrBhA63MD2UTPhVNU9+zd3sZsCrrsgGgXxNDiDg== X-Received: by 10.55.74.138 with SMTP id x132mr15839591qka.26.1469353720710; Sun, 24 Jul 2016 02:48:40 -0700 (PDT) MIME-Version: 1.0 Received: by 10.55.189.135 with HTTP; Sun, 24 Jul 2016 02:48:39 -0700 (PDT) In-Reply-To: References: <8a39df34-4a23-c496-15f6-20a62d27fc59@gmail.com> <4920f683-9a4d-7153-b157-a7d7ce8cbfe7@gmail.com> <933449d0-90c2-0d7a-cb80-a171289d8286@texthtml.net> Date: Sun, 24 Jul 2016 14:48:39 +0500 Message-ID: To: PHP Internals Content-Type: multipart/alternative; boundary=001a114a82f892a6c905385e9207 Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping From: michael.vostrikov@gmail.com (Michael Vostrikov) --001a114a82f892a6c905385e9207 Content-Type: text/plain; charset=UTF-8 I have written many messages already. I think, the purpose of this operator is clear. In this discussion I have come up to understanding what I would like to use. You suggest very hard and complex solutions: $escape = new SplEscaper; $escape->support('e', function () { ... }); declare('filter=htmlentities'); This is not what I wanted to suggest. I have rewritten RFC a little. There is no tricks with ZEND_NAME_NOT_FQ, there is no magic constants, there is no problems with autoloading. The soultion is small, simple, and customizable. https://wiki.php.net/rfc/escaping_operator There are 3 functions: callable|null set_escape_handler(callable $handler) bool restore_escape_handler() escape_handler_call(mixed $string, mixed $context) They work similar to set_error_handler() / restore_error_handler(). Operator is compiled into the following AST: echo escape_handler_call(first_argument, second_argument); Function escape_handler_call() just pass given arguments into user-defined handler. Second argument is not required. If the handler is not set, it throws an exception. There is no default handler for any context, to prevent 'built-in' wrong work of constructions in non-HTML contexts like CSV. This is not hard to create a handler once. Default context can be set in it as default value for second argument. set_escape_handler(function($str, $context = 'html') { ... }); What is under discussion: Starting sign. Last one is more comfortable to type. Separator sign. Maybe it should differ from standard syntax to prevent mistakes like instead of . '|' won't give error, but looks more similar to escaping in template engines. $b ?> If to wrap functions in a class or namespace (fully qualified), to not clutter up a global namespace: set_escape_handler() restore_escape_handler() escape_handler_call() PHPEscaper::setEscapeHandler() PHPEscaper::restoreEscapeHandler() PHPEscaper::escapeHandlerCall() And also any names in source code or details of implementation, without changing main algorithm. What is not under discussion: Built-in contexts. Because escape_handler_call() is not an escaper itself, but just a helper to call user-defined escaper, it should not handle any contexts. This allows to prevent 'built-in' wrong work of constructions in non-HTML contexts like CSV. Multiple arguments. I think, it is enough that second argument can be of any type, e.g. an array. Complicated syntax like . If we allow custom handlers, then we need runtime processing, so the example above cannot be compiled into directly, and it will something like I.e. we anyway need to pass context as a second argument, so why not allow user to do it. If someone wants more complex solution or built-in template engine, he can create another RFC and suggest his own implementation. --001a114a82f892a6c905385e9207--