Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94688
Return-Path: <rowan.collins@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33902 invoked from network); 24 Jul 2016 18:29:43 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Jul 2016 18:29:43 -0000
Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.54 as permitted sender)
X-PHP-List-Original-Sender: rowan.collins@gmail.com
X-Host-Fingerprint: 74.125.82.54 mail-wm0-f54.google.com  
Received: from [74.125.82.54] ([74.125.82.54:38054] helo=mail-wm0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 71/93-05797-71905975 for <internals@lists.php.net>; Sun, 24 Jul 2016 14:29:43 -0400
Received: by mail-wm0-f54.google.com with SMTP id o80so128491302wme.1
        for <internals@lists.php.net>; Sun, 24 Jul 2016 11:29:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=FxFt5eAEScUBOiv9vv0kibIwHqiUCqBlfW9adtMLgfk=;
        b=hYp2FnOZ7mAOcbVawN7DmtfsjCGD48wCXBxzuwZIBPKH8jzw+tZANcjbOvJ5/2bMIS
         BzGP+BfaP5/czzz9Mujcdphy116aa07O5BocbpzgaJg4PLWF93d2sbwEONprpKhT29ys
         //NM4OIor7hS/ObY5Oy4JcXNk6gFaYE+4SXaCMOROT7IG4YSNRr+j2GzV77/WyScntex
         6780wvl8o51/7wFn/VHj4as4fMRNNgyDCOquQ3f+Jd5y/nMKJF2VV9n6oUnStURiunAH
         3PqCKBJf0N9gGe/qXizPaNQgBT0l+ffA/VUKZ4oqN+CBhw8Z/TKJ88XVCxKYxRn8u24T
         JytQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=FxFt5eAEScUBOiv9vv0kibIwHqiUCqBlfW9adtMLgfk=;
        b=f9rnuAMY0AMTDi3IE0CawX2ll1lSZlSI1eo00XcQ47Q+TV8stX9TDRO0YXNGI+ql56
         GETNR2lmns8wkvfw0GVOrn2ZE9Y8LGMFcU/UAk1WikD4AlGrM3L1PHO2bvjEs1jAZuAK
         8uNfbRm8hyHOV2+9kdi3mZBbGT4qj1xd7vpNUiOfI83S9inDixEfQ8oZ1b8ENJQO3/aT
         EYanva+Qv24UZ90rbNcCmwIa9iaCH8f8usCJAnghkPGlYOJL82ciIoXyAazGqaj5J2h7
         8AMT9KrZuuO1+mWAXDHLbYldR9IqAAAgFLnfQ+Z5Sq3ePoUMmAaL16mpzsstNMT9jQbA
         vSxA==
X-Gm-Message-State: AEkoouvWwcDWweW5iH0dBfCx7O/Jkm0iBmxSjkYP81Vm4Lt8qgm28HjoQhKsnROM1UCFPw==
X-Received: by 10.194.11.72 with SMTP id o8mr12673578wjb.10.1469384980480;
        Sun, 24 Jul 2016 11:29:40 -0700 (PDT)
Received: from [192.168.1.5] ([95.148.161.240])
        by smtp.googlemail.com with ESMTPSA id v134sm23456249wmf.10.2016.07.24.11.29.39
        for <internals@lists.php.net>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 24 Jul 2016 11:29:39 -0700 (PDT)
To: internals@lists.php.net
References: <20160724170644.916231A8060C@dd1730.kasserver.com>
 <fee7cd80-0da9-6c92-0783-1d6f54ecaa17@gmail.com>
 <20160724180950.E1D6B1A8066E@dd1730.kasserver.com>
Message-ID: <d6dc43cc-53a9-1285-0331-2a6d51b70b6e@gmail.com>
Date: Sun, 24 Jul 2016 19:29:37 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <20160724180950.E1D6B1A8066E@dd1730.kasserver.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping
From: rowan.collins@gmail.com (Rowan Collins)

On 24/07/2016 19:09, Thomas Bley wrote:
>> Then why is absolutely everything in the current RFC optional and
>> configurable to the Nth degree?
> It's one handler: set_escape_handler() (N=1)
>
> Currently, every framework has it's own methods for escaping. To get this together, set_escape_handler() is a good choice, similar to set_error_handler().

It's not set_escape_handler() that I'm concerned about, it's how you 
actually use it in the templates. At the moment, the only thing the RFC 
actually asserts about the escape handler is "it's a function with two 
arguments". Frameworks are free to write all sorts of weird shit:

<?* $foo, 'html' ?>
<?* 'html', $foo ?>
<?* $foo, 'text/html' ?>
<?* $foo, [$this, 'escaper'] ?>
<?* $foo, $this ?>
<?* $foo, 'js | html' ?>
<?* $foo, 'js + html' ?>
<?* $foo, ['js', 'html'] ?>
<?* $foo, '[js, html]' ?>
<?* $foo, '{js, html}' ?>
<?* $foo, 'html(UTF-8)' ?>
<?* $foo, 'UTF-8' ?>
<?* [$foo, $bar, $baz], 'ul > li' ?>
etc
etc

If you want to provide something that will be the same in all 
frameworks, then you've got to actually provide it.


>> OK, so I can dynamically redefine the same syntax to mean different
>> things at different times, within the same application. I'm not entirely
>> sure that's a particularly good thing.
> It's the same thing with set_error_handler(), set_exception_handler(), spl_autoload_register(), error_reporting(), etc., this concept is proven to work.

OK, fair enough. I'm not sure it's really a killer feature, though. The 
fact that I can't easily redefine "function e()" is no more of a problem 
here than anywhere else in the language.


>> In my opinion, they are central to the feature, not an optional extra.
> maybe you can join the rfc and provide the implementation?

The implementation I'm talking about is hardly complex, just some 
default arguments to htmlspecialchars(). Or that would be the case, if 
we didn't need to provide one escape callback to handle all possible 
arguments, rather than registering for a specific strategy name.

Regards,

-- 
Rowan Collins
[IMSoP]