Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94677 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 8567 invoked from network); 24 Jul 2016 14:40:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Jul 2016 14:40:13 -0000 Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.52 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 74.125.82.52 mail-wm0-f52.google.com Received: from [74.125.82.52] ([74.125.82.52:36266] helo=mail-wm0-f52.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 0E/1F-05797-B43D4975 for ; Sun, 24 Jul 2016 10:40:12 -0400 Received: by mail-wm0-f52.google.com with SMTP id q128so107147329wma.1 for ; Sun, 24 Jul 2016 07:40:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=FrQSjSHt+rUoJ8Ax/4ij0JRT0SaD3gNsQ3xkcCKt5y8=; b=gEhnn2K7dFtiHji5iDRYHtqj0eBZxQg2+vwCcJQnw+A/zUOY9RcZvDXL0Tu/a59qQZ DoAbXaguTGcNxZLIrKrG3xVWSjUavZlsXpAWba4Wq3uC33SXYQeLtIHn0biPjQcOeR19 lppvCBi47pP9uSkGvgN2pa4mGVAsCiZSe8WMct+g5bqAGbvl2xKaMyOMg/UwyLOg1LNX FPb7PBFAHwqr0NaRUXDCLdnf3ScabCXsFgQv8fakymbEqAOKztDG2aLYivqsdWCs9wEp 47KI40CRfnS01bP3KQsyIbq0dEAbdZipbo6SVHLw3wkfWwmutTee5lUlBo8m2HJ9vISH Leng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=FrQSjSHt+rUoJ8Ax/4ij0JRT0SaD3gNsQ3xkcCKt5y8=; b=Dt/HoD9MfcJbhGa3CzkWCSJRYzh4/BZIhshm4p1knttcw65PTR8q906WCxH1O4SdAQ Bx18Z7zAxn4wDpqP4saqEC9K0ucSBQUx7KSi7Sp0x70HRK4ncgNGRbzuWORdDgfkjIEW d/o6OaT8IQBLWdi0WJIuoP6GWiZfhXmY00uBPfcpoOe1f9wUs8IB05hcc3KVqi8Ck6/K 8bA+V6b21IiY10N3/SOPjXDmSq/73wjKWZgc1ttKKFT3i7mxuxYChMT7KCWKGHI28WiO 25Gw+J0T8ajaQcO8LFuzby4pp5/SJs6XMqNzsTOZO48h3Xoem05KAa9OY7uKOKuzhq3I xNSg== X-Gm-Message-State: AEkoout/RtyTjteeiqMkgx/qVR3bPwD+kHvWiQvkoeITwJ23Kx8i0xTJ6qm6bTWvajGWeg== X-Received: by 10.194.18.198 with SMTP id y6mr11713913wjd.87.1469371208558; Sun, 24 Jul 2016 07:40:08 -0700 (PDT) Received: from [192.168.1.5] ([95.148.161.240]) by smtp.googlemail.com with ESMTPSA id m81sm22605427wmf.1.2016.07.24.07.40.07 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 24 Jul 2016 07:40:08 -0700 (PDT) To: internals@lists.php.net References: <8a39df34-4a23-c496-15f6-20a62d27fc59@gmail.com> <4920f683-9a4d-7153-b157-a7d7ce8cbfe7@gmail.com> <933449d0-90c2-0d7a-cb80-a171289d8286@texthtml.net> Message-ID: <5a59b510-02fc-3f00-9da6-0507a8a3d3f5@gmail.com> Date: Sun, 24 Jul 2016 15:40:05 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping From: rowan.collins@gmail.com (Rowan Collins) On 24/07/2016 10:48, Michael Vostrikov wrote: > Operator is compiled into the following AST: > echo escape_handler_call(first_argument, second_argument); I'm sorry, but this is now so simple it undermines its own argument for existing. > There is no default handler for any context, to > prevent 'built-in' wrong work of constructions in non-HTML > contexts like CSV. This is not hard to create a handler once. Default > context can be set in it as default value for second argument. So it is now mandatory to have some bootstrap file somewhere that defines and registers the escape function? How is that different from writing, right now, at the top of your bootstrap file: function e($str, $context = 'html') { ... } You are effectively offering a way of aliasing a particular function to the magic name "*", and everything else is still down to the user. > Complicated syntax like . I have no idea why that is "complicated syntax", but your proposal isn't: Or even: In your proposal, part of the syntax won't even be standard between different people's code (and yes, the '|' in 'html | js' is syntax, even if it's not parsed until run-time). Is it just that you don't like the escape strategy coming first? I suggested it that way just to make it stand out more, but this would be entirely equivalent (assuming we could find an appropriate separator): > If we allow custom handlers, then we need runtime processing, so the > example above cannot be compiled into > > directly, and it will something like > Yes, this is exactly how all template languages I've ever seen do it. Once you unroll the if / switch / lookup table, the code run under your proposal would be something like this: $temp = $str; $temp = json_encode($temp); $temp = htmlspecialchars($temp); I don't really see how one is any better than the other. > I.e. we anyway need to pass context as a second argument, so why not allow > user to do it. Because we're trying to make it easier for the user, not harder. Why make them handle the nesting, sanity-checking, and control flow of multiple filters, rather than building them into the syntax from the start? Regards, -- Rowan Collins [IMSoP]