Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94680
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: error (pb1.pair.com: domain thomasbley.de from 85.13.128.151 cause and error)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: ALL-INKL Webmail 2.11
In-Reply-To: <6cfac572-9982-87f8-5a55-9213d978cde9@gmx.de>
References: <CAEDdnaWVYbh=t1-bvDh9fixCoC7Be4asoEus=dRhGggx_9VLNg@mail.gmail.com> <8a39df34-4a23-c496-15f6-20a62d27fc59@gmail.com> <CAEDdnaWwUUVV6q1Sh+pXNQEAENXHHbJ=ZPaq4otnpnFPwVD-5A@mail.gmail.com> <CAObuZdvy9F3sLu=MArNEvh3ZxFkZ=byb7UbH0Gaw2sx=C0QRzw@mail.gmail.com> <CAEDdnaV8Qaoib6=v+NBCYYymtQQgyr28qryJ1dBHhVsXqWu5kA@mail.gmail.com> <4920f683-9a4d-7153-b157-a7d7ce8cbfe7@gmail.com> <933449d0-90c2-0d7a-cb80-a171289d8286@texthtml.net> <CAGovj_PiUjJmAncZjrtTiJmBTmuwA1MgfpjwpkKWdp_NHPekpw@mail.gmail.com> <CAEDdnaWEwNH-+kOxPk2GDqRod90kOqbT1yGHkOMqx5L9AXRaLA@mail.gmail.com> <CAEDdnaVrAvMHzj=bxhp9fOEFRgJ3rY9Tn9XP0oPfYZ0EU-RrjA@mail.gmail.com> <20160724145557.D52C31A80BBD@dd1730.kasserver.com><6cfac572-9982-87f8-5a55-9213d978cde9@gmx.de>
To: internals@lists.php.net, michael.vostrikov@gmail.com, cmbecker69@gmx.de
Message-ID: <20160724162103.BC5741A83512@dd1730.kasserver.com>
Date: Sun, 24 Jul 2016 18:21:03 +0200 (CEST)
Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping
From: mails@thomasbley.de ("Thomas Bley")

>  <?* $str ?>
> 
> instead of
> 
>  <?=h($str)?>

benefits are using static code analyzers, grep "<?=" for code reviews, etc.
Having function names with single characters is bad taste and only useful for obfuscating.
Using multiple frameworks or libraries, it's not possible to redeclare functions with the same name.

The big difference is:
With <?*, you have to define an escaping function, with <?= it's optional.

Regards
Thomas


Christoph Becker wrote on 24.07.2016 17:54:

> On 24.07.2016 at 16:55, Thomas Bley wrote:
> 
>> In total a good rfc everybody should be happy with.
> 
> I'm not happy (to put it mildly) with the RFC as it's now.  The RFC
> speaks of *operator*, where actually start-tags[1] are meant, to start
> with.  Using the word operator is rather confusing in this context.
> 
> Then the RFC states that the new operator is compiled into the following
> AST:
> 
> | echo escape_handler_call(first_argument, second_argument);
> 
> But what happens to additional code, e.g.
> 
>  <?* $str, 'html', 42 ?>
>  <?* $str, 'html'; echo 42 ?>
> 
> Contrast that to the language specification which explains:
> 
> | If <?= is used as the start-tag, the Engine proceeds as if the
> | statement-list started with echo statement.
> 
> Simple, yet precise.
> 
> Anyhow, even if this formal issues will be addressed, I still don't see
> the benefit of being able to write
> 
>  <?* $str ?>
> 
> instead of
> 
>  <?=h($str)?>
> 
> The argument that h() might be forgotten is moot, because it's similarly
> easy to accidently write = instead of *, and both forms allow for
> equally well (semi-)automatic verification that all output is escaped.
> 
> [1]
> <https://github.com/php/php-langspec/blob/master/spec/04-basic-concepts.md#program-structure>
> 
> -- 
> Christoph M. Becker
> 
> -- 
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>