Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94684 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 25494 invoked from network); 24 Jul 2016 17:06:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Jul 2016 17:06:48 -0000 Authentication-Results: pb1.pair.com header.from=mails@thomasbley.de; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=mails@thomasbley.de; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain thomasbley.de from 85.13.128.151 cause and error) X-PHP-List-Original-Sender: mails@thomasbley.de X-Host-Fingerprint: 85.13.128.151 dd1730.kasserver.com Received: from [85.13.128.151] ([85.13.128.151:59501] helo=dd1730.kasserver.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E0/02-05797-7A5F4975 for ; Sun, 24 Jul 2016 13:06:47 -0400 Received: from dd1730.kasserver.com (dd0802.kasserver.com [85.13.143.1]) by dd1730.kasserver.com (Postfix) with ESMTPSA id 916231A8060C; Sun, 24 Jul 2016 19:06:44 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-SenderIP: 95.91.246.158 User-Agent: ALL-INKL Webmail 2.11 To: internals@lists.php.net, rowan.collins@gmail.com Message-ID: <20160724170644.916231A8060C@dd1730.kasserver.com> Date: Sun, 24 Jul 2016 19:06:44 +0200 (CEST) Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping From: mails@thomasbley.de ("Thomas Bley") > It's not that difficult to write a static analyser that detects > instances of " Surely the feature gets most of its value from what you *don't* need to > do - which is why I think it's bizarre that the current version doesn't > even have a built-in HTML escaper at all. I think it's no problem to have a follow-up rfc defining some default escapers. > It's not possible for multiple frameworks or libraries to declare > different escape handlers in your proposal, either. not sure I get your point? public function render($template) { set_escape_handler(['SomeClass', 'methodName']); ob_start(); include $template; $content = ob_get_clean(); restore_escape_handler(); return $content; } > You could equally say, "with you have to define an e() > function". The main effort is remembering to use the right syntax, which > you have to do either way. the thing here is that people can use On 24/07/2016 17:21, Thomas Bley wrote: >>> >>> >>> instead of >>> >>> >> benefits are using static code analyzers, grep " > It's not that difficult to write a static analyser that detects > instances of " > >> Having function names with single characters is bad taste and only useful for >> obfuscating. > > And having a token "*" that calls a different function in every > application is somehow less obfuscated? > > >> Using multiple frameworks or libraries, it's not possible to redeclare >> functions with the same name. > > It's not possible for multiple frameworks or libraries to declare > different escape handlers in your proposal, either. > > >> The big difference is: >> With > You could equally say, "with you have to define an e() > function". The main effort is remembering to use the right syntax, which > you have to do either way. > > Surely the feature gets most of its value from what you *don't* need to > do - which is why I think it's bizarre that the current version doesn't > even have a built-in HTML escaper at all. > > Regards, > -- > Rowan Collins > [IMSoP] > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >