Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94676
Return-Path: <rowan.collins@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6444 invoked from network); 24 Jul 2016 14:20:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Jul 2016 14:20:52 -0000
Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.46 as permitted sender)
X-PHP-List-Original-Sender: rowan.collins@gmail.com
X-Host-Fingerprint: 74.125.82.46 mail-wm0-f46.google.com  
Received: from [74.125.82.46] ([74.125.82.46:38816] helo=mail-wm0-f46.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 35/CE-05797-1CEC4975 for <internals@lists.php.net>; Sun, 24 Jul 2016 10:20:50 -0400
Received: by mail-wm0-f46.google.com with SMTP id o80so123890546wme.1
        for <internals@lists.php.net>; Sun, 24 Jul 2016 07:20:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=g1sZ1X+KHqaODkdvgED9A3XV78ha4FvNYppCIpfw2Z8=;
        b=SeGkJclZ8uhbXwzWbj6qub9Wwk9ICN4nubSUskur9pubEAjJ/QbyHS8u6yIagXWXKH
         ElWm1wbz45gWF6K70h0HzIE8Ml2trUydRsPgDHxNNUCBYM7H/OXMObYO02L6lRGmNG2u
         ij7+9940U/XeFZrOPzeG5AaHqTvPS4aEJUT2UBxreRWz2esHGcGgp18+Pyii1vj5qUnh
         4jACy2MlNr3lDRXHNI5RilylBcH5/M4sF5KbcX1yzUa/fjgg+jyjTE6b/nw8y6ZiiinH
         Voiq5nDxLw5yNsBQISjV0H/2kQhu00TEMPjYq8vGCZwIt9FDGMjT7IeLkGEd4sj0Ng7e
         8i9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=g1sZ1X+KHqaODkdvgED9A3XV78ha4FvNYppCIpfw2Z8=;
        b=cM8LCIalRTABHtlyxMKBP/fkFZRUAfTXSn3vP4EVvM2ISWPb8LQi7UQczPU/EhEPCt
         Wi/s6oIfor24mqhrtWl5G9GRF+A4ps+tTDRbe515HA5SGHlCSSR6u+XEHiZHw6w611DK
         eFD199Rp84aN3RFXFJBvXL9znZskGOHV3hiXK334xwuugfQLzeht2O51q2D9w5f+/M+g
         STZJ+NYeME1vcJVh39D1jCUjWK9XX3qpd+DS+rllU87vHDxN5zWjM3E/WHpgpcEx/O0U
         AbhlsjSUrXqIHd3DTG92yymheHkqrPPYJB7crG02z71rIK/KOpMBLLqR6hOkVUZmNUYP
         gPRw==
X-Gm-Message-State: AEkoouuzxG4G4+dhDOcQnRCLDOkNlnV+pl3Cz3jGsPYp85B5i3+ryLS9+EAnWQPKLzJBvA==
X-Received: by 10.194.114.194 with SMTP id ji2mr10963185wjb.33.1469370046477;
        Sun, 24 Jul 2016 07:20:46 -0700 (PDT)
Received: from [192.168.1.5] ([95.148.161.240])
        by smtp.googlemail.com with ESMTPSA id r13sm22552432wmf.12.2016.07.24.07.20.45
        for <internals@lists.php.net>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 24 Jul 2016 07:20:45 -0700 (PDT)
To: internals@lists.php.net
References: <CAEDdnaWVYbh=t1-bvDh9fixCoC7Be4asoEus=dRhGggx_9VLNg@mail.gmail.com>
 <8a39df34-4a23-c496-15f6-20a62d27fc59@gmail.com>
 <CAEDdnaWwUUVV6q1Sh+pXNQEAENXHHbJ=ZPaq4otnpnFPwVD-5A@mail.gmail.com>
 <CAObuZdvy9F3sLu=MArNEvh3ZxFkZ=byb7UbH0Gaw2sx=C0QRzw@mail.gmail.com>
 <CAEDdnaV8Qaoib6=v+NBCYYymtQQgyr28qryJ1dBHhVsXqWu5kA@mail.gmail.com>
 <4920f683-9a4d-7153-b157-a7d7ce8cbfe7@gmail.com>
 <933449d0-90c2-0d7a-cb80-a171289d8286@texthtml.net>
 <CAGovj_PiUjJmAncZjrtTiJmBTmuwA1MgfpjwpkKWdp_NHPekpw@mail.gmail.com>
 <CAEDdnaWEwNH-+kOxPk2GDqRod90kOqbT1yGHkOMqx5L9AXRaLA@mail.gmail.com>
Message-ID: <d7de1264-6b22-cef3-2ad7-1221197d15eb@gmail.com>
Date: Sun, 24 Jul 2016 15:20:43 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CAEDdnaWEwNH-+kOxPk2GDqRod90kOqbT1yGHkOMqx5L9AXRaLA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping
From: rowan.collins@gmail.com (Rowan Collins)

On 24/07/2016 10:42, Michael Vostrikov wrote:
>
>> It is a string too, instead of an identifier like in <?* $value, escape ?>
>> ... IDE will have problem by identify where you have defined it
> It should not be identifier or single function name, because in this way we
> could not use closures or object methods ($this->escape) for escaping.
> Context should be an expression, like it is done in template engines. So,
> no problems with IDE.

register_escape_handler('foo', [$this, 'escape']);

<?*foo= $something ?>

Where's the problem?

If you mean you want to be able to pass an actual callable as the 
context, what would be the point? Why would I ever write this:

<?* $something, [$this, 'escape'] ?>

when I could just write this:

<?= $this->escape($something) ?>


>> This is the part I don't get. How does "using an operator everywhere"
> remove the effort of "using a function everywhere"? It's the same effort in
> both cases.
>
> "using an operator everywhere" and "using an operator + function
> everywhere, especially if the operator itself works good but is unsafe".

Sorry, I still don't get it. <?= will still "work good but be unsafe" no 
matter how the correctly-escaped version looks. When somebody's typing 
code into their PHP "template" file, they've got to remember which 
symbols to type; they don't care if those symbols are an operator, a 
function, or a magic incantation. Look at the Wordpress documentation, 
it talks about "tags", which any programmer immediately recognises as 
function calls.

So to a novice writing templates, it doesn't really matter if you say 
the incantation to output a variable is "<?= e($" followed by the 
variable name and ")?>", or "<?* $" followed by the variable name and 
"?>". One is 3 characters shorter, but that is the sole difference in 
terms of effort.


>> If somebody can't type "e(" and ") without copying and pasting, then
> they're going to have a hard time writing any meaningful code.
>
> What is the difference how he wrote 'e()' ?  It may be 'ctrl-c-ctrl-v',
> 'ctrl-insert-shift-insert', 'e-shift-(-)'. The result is the same - this is
> a copied code.

Huh? Is the word "I" copied in this e-mail, because the English language 
requires me to write it more than once? And if "e(" is "copied code", 
how is the "*" in "<?*" not also "copied code"?

I get it, if you are talking about having to type "htmlspecialchars()" 
the whole time, but I stand by my assertion that anyone put off by 
typing "e()" is beyond hope.



>> More flexible to what end? Why do I need to be able to dynamically define
> arbitrarily complex expressions as the filter name?
>
> To the case when we write escapers statically. Twig allows to pass a
> context as a variable, why it is needed to specially restrict escaping
> mechanism in PHP? We don't know all possible tasks which can require
> additinal escaping together with HTML.

Twig allows you to register a named "strategy" to a single callable, 
exactly as I am suggesting: 
http://twig.sensiolabs.org/doc/filters/escape.html#custom-escapers This 
is much more useful than a single callback that has to handle all 
possible strategies.

You're right that Twig allows you to use a variable as the escaping 
strategy, although it warns that doing so defeats the intelligence of 
its auto-escaping mechanism. But this could still be done without 
allowing arbitrary expressions, or embedding syntax inside the strategy 
argument:

<?*$strategy*html= $text ?>


We don't need to handle all possible things that anyone might ever want 
to do. If they're doing something complex, they can implement their own 
way of doing it - probably by writing a templating engine, or using one 
of the many that already exist.

Regards,

-- 
Rowan Collins
[IMSoP]