Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94686
Return-Path: <rowan.collins@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 29319 invoked from network); 24 Jul 2016 17:41:20 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Jul 2016 17:41:20 -0000
Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.54 as permitted sender)
X-PHP-List-Original-Sender: rowan.collins@gmail.com
X-Host-Fingerprint: 74.125.82.54 mail-wm0-f54.google.com  
Received: from [74.125.82.54] ([74.125.82.54:35813] helo=mail-wm0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0B/B2-05797-0CDF4975 for <internals@lists.php.net>; Sun, 24 Jul 2016 13:41:20 -0400
Received: by mail-wm0-f54.google.com with SMTP id f65so110500010wmi.0
        for <internals@lists.php.net>; Sun, 24 Jul 2016 10:41:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=ETDla9HvYZuj7j4Ml4wDn6cezwEqnP3gZel7B3/i880=;
        b=Uk5wHeNFkGB7VY++HPWlK4ws9s0NzUfsbrlmXOB8Oyr+uhaasBZQR5EjxHFDRtoucl
         wegxvKm8UGlg2ZX6/ka7vfdhyt/m5aCaHtMOf5Z3Q+MVl6iM9DDcy7spNtEZ37Dv5F4K
         +yz0JqoVU+r4VKASDcawgUqkLdKEIy+ZsHbqhDlC7EmaJcjKX1ComGxFfZQoHoNsnI/W
         K+4n07IHeNlQOH8OfWFABIIvvgE9YV3rdiDddx9sWCvFtxs5Iqrke/LsA+CXz0zisT8l
         J6wUKxEOz3FDfTJ1atBCcKF9xL2ZehjjFXrmjHOWSXKwHYdwTWzXbPKgAAF8FcbVtjQQ
         xUtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=ETDla9HvYZuj7j4Ml4wDn6cezwEqnP3gZel7B3/i880=;
        b=EJrXOzRrVMow1ckA7cq3fT6+UwvUMgaAu0NI3kb+Da9/yhoK5YuGexSFl2Cw+jcsDh
         CB/bLDrXCRoyIxteuJfP5wRKW7xjm8jM8hBI8KQ7RZSTrYg4w39t+8O83lXX18RQOIs7
         9R1mPssgIRt7Z5XqCg0xt5KR+wHqGUM8qZqTFqu7DnOEtUrqmN7+E5cNn/+lkHbC7W2M
         5ZBSZ8lFL+xuVSb8P8RzdHEwOxwf2Fr3FDCdfS6TzCSz/UEpm4N6oUWzIyBlCnUQ7ooe
         xMimik960LifrEyg+9tYucSE+fvjHVO0dv8zXakEAE5nVfEjbGyCyazJKrv3WyHCKdE0
         yNDg==
X-Gm-Message-State: AEkoouvqVactfS1sdqcLH5AAbgpGKj8PXJumC5PKRgzb8i5wtlX04y4dLurbh5BSMie+VA==
X-Received: by 10.194.96.205 with SMTP id du13mr12050185wjb.89.1469382076255;
        Sun, 24 Jul 2016 10:41:16 -0700 (PDT)
Received: from [192.168.1.5] ([95.148.161.240])
        by smtp.googlemail.com with ESMTPSA id c131sm23005197wmh.1.2016.07.24.10.41.15
        for <internals@lists.php.net>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 24 Jul 2016 10:41:15 -0700 (PDT)
To: internals@lists.php.net
References: <20160724170644.916231A8060C@dd1730.kasserver.com>
Message-ID: <fee7cd80-0da9-6c92-0783-1d6f54ecaa17@gmail.com>
Date: Sun, 24 Jul 2016 18:41:13 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <20160724170644.916231A8060C@dd1730.kasserver.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping
From: rowan.collins@gmail.com (Rowan Collins)

On 24/07/2016 18:06, Thomas Bley wrote:
>> It's not that difficult to write a static analyser that detects
>> instances of "<?=" not followed by "h(" or "e(" or whatever.
> <?* and <?= are same for all applications, h() is user-defined. So you need to write a different analyzer for every application if you use h() or e().

This argument is only valid if the RFC includes an implementation, not 
just a syntax. As currently proposed, not even the syntax would be the 
same for all applications, as part of it is hand-waved as up to whoever 
writes the escape callback.


>> Surely the feature gets most of its value from what you *don't* need to
>> do - which is why I think it's bizarre that the current version doesn't
>> even have a built-in HTML escaper at all.
> I think it's no problem to have a follow-up rfc defining some default escapers.

In my opinion, they are central to the feature, not an optional extra.


>
>> It's not possible for multiple frameworks or libraries to declare
>> different escape handlers in your proposal, either.
> not sure I get your point?
>
> public function render($template) {
>    set_escape_handler(['SomeClass', 'methodName']);
>    ob_start();
>    include $template;
>    $content = ob_get_clean();
>    restore_escape_handler();
>    return $content;
> }

OK, so I can dynamically redefine the same syntax to mean different 
things at different times, within the same application. I'm not entirely 
sure that's a particularly good thing.


>> You could equally say, "with <?=e()?> you have to define an e()
>> function". The main effort is remembering to use the right syntax, which
>> you have to do either way.
> the thing here is that people can use <?= without e() and save coding time.

People can use <?= instead of <?* and save learning the difference. Lazy 
people will still be lazy.

Yes, there's a very slight effort saved by it being shorter, but at the 
cost of a minimum PHP version, an extra thing to learn, etc.


> Security cannot be optional, see.

Then why is absolutely everything in the current RFC optional and 
configurable to the Nth degree?

Regards,

-- 
Rowan Collins
[IMSoP]