Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94689 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38225 invoked from network); 24 Jul 2016 19:57:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Jul 2016 19:57:46 -0000 Authentication-Results: pb1.pair.com smtp.mail=mails@thomasbley.de; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=mails@thomasbley.de; sender-id=unknown Received-SPF: error (pb1.pair.com: domain thomasbley.de from 85.13.128.151 cause and error) X-PHP-List-Original-Sender: mails@thomasbley.de X-Host-Fingerprint: 85.13.128.151 dd1730.kasserver.com Received: from [85.13.128.151] ([85.13.128.151:38398] helo=dd1730.kasserver.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D1/14-05797-8BD15975 for ; Sun, 24 Jul 2016 15:57:45 -0400 Received: from dd1730.kasserver.com (dd0800.kasserver.com [85.13.143.204]) by dd1730.kasserver.com (Postfix) with ESMTPSA id BE1CF1A8066E; Sun, 24 Jul 2016 21:57:41 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-SenderIP: 95.91.212.140 User-Agent: ALL-INKL Webmail 2.11 In-Reply-To: References: <20160724170644.916231A8060C@dd1730.kasserver.com> <20160724180950.E1D6B1A8066E@dd1730.kasserver.com> To: internals@lists.php.net, rowan.collins@gmail.com Message-ID: <20160724195741.BE1CF1A8066E@dd1730.kasserver.com> Date: Sun, 24 Jul 2016 21:57:41 +0200 (CEST) Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping From: mails@thomasbley.de ("Thomas Bley") > Frameworks are free to write all sorts of weird shit: with set_escape_handler(), the "weird shit" is in one place and can be quickly verified. Now the "weird shit" is spread over all templates. Normally the problem is not fixing the frameworks, it's most work to fix code that is using the frameworks in a wrong way. Regards Thomas Rowan Collins wrote on 24.07.2016 20:29: > On 24/07/2016 19:09, Thomas Bley wrote: >>> Then why is absolutely everything in the current RFC optional and >>> configurable to the Nth degree? >> It's one handler: set_escape_handler() (N=1) >> >> Currently, every framework has it's own methods for escaping. To get this >> together, set_escape_handler() is a good choice, similar to >> set_error_handler(). > > It's not set_escape_handler() that I'm concerned about, it's how you > actually use it in the templates. At the moment, the only thing the RFC > actually asserts about the escape handler is "it's a function with two > arguments". Frameworks are free to write all sorts of weird shit: > > > > > > > > > > > > > > li' ?> > etc > etc > > If you want to provide something that will be the same in all > frameworks, then you've got to actually provide it. > > >>> OK, so I can dynamically redefine the same syntax to mean different >>> things at different times, within the same application. I'm not entirely >>> sure that's a particularly good thing. >> It's the same thing with set_error_handler(), set_exception_handler(), >> spl_autoload_register(), error_reporting(), etc., this concept is proven to >> work. > > OK, fair enough. I'm not sure it's really a killer feature, though. The > fact that I can't easily redefine "function e()" is no more of a problem > here than anywhere else in the language. > > >>> In my opinion, they are central to the feature, not an optional extra. >> maybe you can join the rfc and provide the implementation? > > The implementation I'm talking about is hardly complex, just some > default arguments to htmlspecialchars(). Or that would be the case, if > we didn't need to provide one escape callback to handle all possible > arguments, rather than registering for a specific strategy name. > > Regards, > > -- > Rowan Collins > [IMSoP] > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >