Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94682
Return-Path: <rowan.collins@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 21529 invoked from network); 24 Jul 2016 16:39:14 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Jul 2016 16:39:14 -0000
Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.54 as permitted sender)
X-PHP-List-Original-Sender: rowan.collins@gmail.com
X-Host-Fingerprint: 74.125.82.54 mail-wm0-f54.google.com  
Received: from [74.125.82.54] ([74.125.82.54:35158] helo=mail-wm0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 5A/31-05797-03FE4975 for <internals@lists.php.net>; Sun, 24 Jul 2016 12:39:13 -0400
Received: by mail-wm0-f54.google.com with SMTP id f65so109514114wmi.0
        for <internals@lists.php.net>; Sun, 24 Jul 2016 09:39:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=Lod4nAfWyhFseE3bd3uj3pF6avLqwPbQ01Lcru2DdJs=;
        b=wgkr4zbh6cZfAnaArhVC+fzrHxuxM/0deW+nwGn0f5r86yEelA9vLHgLUUMY97dI/5
         6cOMgRMgTT1TFKyfO+Ilj7Y5OJMzN60eJ2m9TMvb8RRXUulg3T3fAklcqSD8q1bVsQJI
         w5Lxd8rMtMWA9ui8VysDegnQngoVILijSEnzqxsGQ5RVAeRfzKKgNzoFVL7bEk1QMeV4
         /XhJ+Nr73cTuQFUK0Pra3PgfmTeaazJuTwYClSQg496NpsAChqOMmLC6LuTjVib2bcOG
         ZOftCBxHLouwXAe0nNJzW5kfFqH5IcK58eiH1y7mrswFZ3cVTkbOLwE8/8Bk2z8k7epa
         9vaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=Lod4nAfWyhFseE3bd3uj3pF6avLqwPbQ01Lcru2DdJs=;
        b=ME0KlwVvxGDH0vygoax9vysV4y4KVxY8y/8QNuU0mZBQCrJzTwq/joS6kCoBDcqgQR
         pXdTI6H7qc6Pglofk/sfkLjF7CrM7IhqYfvQuEz9bdyC0aAqROk2r25jMVnB9m9BPcQC
         KDB3vHoBV3JGJkngtW+h7g0z14jnXRAJN1PJ9fDPhU/WbDMV33gIF/Vk7eZW7wj4Jtvr
         Y58eQyUpAUlgm9rduv+MZsfyzMjQT3MOajRlCGkzbU4LvrtKjW0gtMHmsWuO6cVMOUS+
         NfyyCOimCOmOeK3Hx2/csz9liF8MuEolOl2XoIjiOXbF5PBuxun9xadTvqFXx++B8X6N
         bmaQ==
X-Gm-Message-State: AEkoouv/n4f6qBINgRL7MX1t98dUvrATuDYpmx3fPLbWXXZzIOQDNLgPg2hxTKrFZWApdA==
X-Received: by 10.195.18.170 with SMTP id gn10mr11525637wjd.46.1469378349014;
        Sun, 24 Jul 2016 09:39:09 -0700 (PDT)
Received: from [192.168.1.5] ([95.148.161.240])
        by smtp.googlemail.com with ESMTPSA id qe2sm11403754wjc.28.2016.07.24.09.39.07
        for <internals@lists.php.net>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 24 Jul 2016 09:39:08 -0700 (PDT)
To: internals@lists.php.net
References: <CAEDdnaWVYbh=t1-bvDh9fixCoC7Be4asoEus=dRhGggx_9VLNg@mail.gmail.com>
 <8a39df34-4a23-c496-15f6-20a62d27fc59@gmail.com>
 <CAEDdnaWwUUVV6q1Sh+pXNQEAENXHHbJ=ZPaq4otnpnFPwVD-5A@mail.gmail.com>
 <CAObuZdvy9F3sLu=MArNEvh3ZxFkZ=byb7UbH0Gaw2sx=C0QRzw@mail.gmail.com>
 <CAEDdnaV8Qaoib6=v+NBCYYymtQQgyr28qryJ1dBHhVsXqWu5kA@mail.gmail.com>
 <4920f683-9a4d-7153-b157-a7d7ce8cbfe7@gmail.com>
 <933449d0-90c2-0d7a-cb80-a171289d8286@texthtml.net>
 <CAGovj_PiUjJmAncZjrtTiJmBTmuwA1MgfpjwpkKWdp_NHPekpw@mail.gmail.com>
 <CAEDdnaWEwNH-+kOxPk2GDqRod90kOqbT1yGHkOMqx5L9AXRaLA@mail.gmail.com>
 <CAEDdnaVrAvMHzj=bxhp9fOEFRgJ3rY9Tn9XP0oPfYZ0EU-RrjA@mail.gmail.com>
 <20160724145557.D52C31A80BBD@dd1730.kasserver.com>
 <6cfac572-9982-87f8-5a55-9213d978cde9@gmx.de>
 <20160724162103.BC5741A83512@dd1730.kasserver.com>
Message-ID: <b9626a75-f1aa-e420-123c-495b5a6fffc5@gmail.com>
Date: Sun, 24 Jul 2016 17:39:05 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <20160724162103.BC5741A83512@dd1730.kasserver.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping
From: rowan.collins@gmail.com (Rowan Collins)

On 24/07/2016 17:21, Thomas Bley wrote:
>>   <?* $str ?>
>>
>> instead of
>>
>>   <?=h($str)?>
> benefits are using static code analyzers, grep "<?=" for code reviews, etc.

It's not that difficult to write a static analyser that detects 
instances of "<?=" not followed by "h(" or "e(" or whatever.


> Having function names with single characters is bad taste and only useful for obfuscating.

And having a token "*" that calls a different function in every 
application is somehow less obfuscated?


> Using multiple frameworks or libraries, it's not possible to redeclare functions with the same name.

It's not possible for multiple frameworks or libraries to declare 
different escape handlers in your proposal, either.


> The big difference is:
> With <?*, you have to define an escaping function, with <?= it's optional.

You could equally say, "with <?=e()?> you have to define an e() 
function". The main effort is remembering to use the right syntax, which 
you have to do either way.

Surely the feature gets most of its value from what you *don't* need to 
do - which is why I think it's bizarre that the current version doesn't 
even have a built-in HTML escaper at all.

Regards,
-- 
Rowan Collins
[IMSoP]