Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94685
Return-Path: <mails@thomasbley.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 27326 invoked from network); 24 Jul 2016 17:21:34 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Jul 2016 17:21:34 -0000
Authentication-Results: pb1.pair.com smtp.mail=mails@thomasbley.de; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=mails@thomasbley.de; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain thomasbley.de from 85.13.128.151 cause and error)
X-PHP-List-Original-Sender: mails@thomasbley.de
X-Host-Fingerprint: 85.13.128.151 dd1730.kasserver.com  
Received: from [85.13.128.151] ([85.13.128.151:60084] helo=dd1730.kasserver.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FF/52-05797-E19F4975 for <internals@lists.php.net>; Sun, 24 Jul 2016 13:21:34 -0400
Received: from dd1730.kasserver.com (dd0802.kasserver.com [85.13.143.1])
	by dd1730.kasserver.com (Postfix) with ESMTPSA id 675AC1A800B0;
	Sun, 24 Jul 2016 19:21:31 +0200 (CEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SenderIP: 95.91.246.158
User-Agent: ALL-INKL Webmail 2.11
In-Reply-To: <efdfdd99-77d9-f722-7000-13b4528dd77c@gmx.de>
References: <CAEDdnaWVYbh=t1-bvDh9fixCoC7Be4asoEus=dRhGggx_9VLNg@mail.gmail.com> <8a39df34-4a23-c496-15f6-20a62d27fc59@gmail.com> <CAEDdnaWwUUVV6q1Sh+pXNQEAENXHHbJ=ZPaq4otnpnFPwVD-5A@mail.gmail.com> <CAObuZdvy9F3sLu=MArNEvh3ZxFkZ=byb7UbH0Gaw2sx=C0QRzw@mail.gmail.com> <CAEDdnaV8Qaoib6=v+NBCYYymtQQgyr28qryJ1dBHhVsXqWu5kA@mail.gmail.com> <4920f683-9a4d-7153-b157-a7d7ce8cbfe7@gmail.com> <933449d0-90c2-0d7a-cb80-a171289d8286@texthtml.net> <CAGovj_PiUjJmAncZjrtTiJmBTmuwA1MgfpjwpkKWdp_NHPekpw@mail.gmail.com> <CAEDdnaWEwNH-+kOxPk2GDqRod90kOqbT1yGHkOMqx5L9AXRaLA@mail.gmail.com> <CAEDdnaVrAvMHzj=bxhp9fOEFRgJ3rY9Tn9XP0oPfYZ0EU-RrjA@mail.gmail.com> <20160724145557.D52C31A80BBD@dd1730.kasserver.com> <6cfac572-9982-87f8-5a55-9213d978cde9@gmx.de> <20160724162103.BC5741A83512@dd1730.kasserver.com><efdfdd99-77d9-f722-7000-13b4528dd77c@gmx.de>
To: internals@lists.php.net, michael.vostrikov@gmail.com, cmbecker69@gmx.de
Message-ID: <20160724172131.675AC1A800B0@dd1730.kasserver.com>
Date: Sun, 24 Jul 2016 19:21:31 +0200 (CEST)
Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping
From: mails@thomasbley.de ("Thomas Bley")

> But you still have to rember to use <?* instead of <?= and use the
> proper escaping function.

I see no problem if companies make a rule not to deploy code containing "<?=". I've seen similar rules for eval() and other functions.
Using proper escaping function is surely another challenge which can be source of security bugs, maybe someone brings up a fuzzy generator to detect these things.

> I just wanted to give an explanation why I would vote
> against it.

I'm not sure if it is a good thing to vote against security enhancements.

Regards
Thomas

Christoph Becker wrote on 24.07.2016 18:52:

> On 24.07.2016 at 18:21, Thomas Bley wrote:
> 
>>>  <?* $str ?>
>>>
>>> instead of
>>>
>>>  <?=h($str)?>
>> 
>> benefits are using static code analyzers, grep "<?=" for code reviews, etc.
> 
> Well, something like `grep -P <\?=(?!h[(])` seems to be a viable
> alternative.
> 
>> Having function names with single characters is bad taste and only useful for
>> obfuscating.
> 
> Cryptic "operators", however, are not?
> 
>> The big difference is:
>> With <?*, you have to define an escaping function, with <?= it's optional.
> 
> But you still have to rember to use <?* instead of <?= and use the
> proper escaping function.
> 
> Actually, I'm not really interested in discussing the current RFC (the
> discussion is already rather lengthy, and has started to go in circles
> long ago).  I just wanted to give an explanation why I would vote
> against it.
> 
> -- 
> Christoph M. Becker
>