Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94728
Return-Path: <rowan.collins@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 94691 invoked from network); 27 Jul 2016 20:57:57 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Jul 2016 20:57:57 -0000
Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.68 as permitted sender)
X-PHP-List-Original-Sender: rowan.collins@gmail.com
X-Host-Fingerprint: 74.125.82.68 mail-wm0-f68.google.com  
Received: from [74.125.82.68] ([74.125.82.68:36558] helo=mail-wm0-f68.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 52/70-23041-55029975 for <internals@lists.php.net>; Wed, 27 Jul 2016 16:57:57 -0400
Received: by mail-wm0-f68.google.com with SMTP id x83so8200209wma.3
        for <internals@lists.php.net>; Wed, 27 Jul 2016 13:57:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=G3jNgV39aWmWH4vyce23HzwRgCZO8Fr97HcAx09ppkM=;
        b=uxhM5ICY3RdqogxNPYYnO+fLjy0ZbfMTBuvV4bKRsbAHGT+exu7REK/Vn5an4mbJf4
         BvLiQSpf9sr8QR3gxBpDwlkkDFhop7LGNnMUfq8GlkbgyQ7W/N4ULPs01fOLHPfKAwPR
         1o2QZXhQyRtaNqkvXndZHqach33boGPWXpCaBSHV0GzWbyiwOI191uXFpvtIf8CnzgIC
         4NzjCkMRBWYRd2m2JzOf6VZWNFhcq88JvCFc1RlYxGD4HIIVdvcq7tQpKHxBodsso0Nj
         4cuBI90ho7OBP+YpiP2mQDdEYfJQ8WVhR0tK7sroWYzaBxVsbuN2Fg98Lf/SMtbRQCtH
         n/FQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=G3jNgV39aWmWH4vyce23HzwRgCZO8Fr97HcAx09ppkM=;
        b=P/ucIKCNDaZuxK1Dk9ebEk09TaLY9MPG7EudmCZs/FGo8iLcGD67QV9wP0Cu1VM442
         gGTH1srxeKPCizQI6uhkAlC7dGCs7CfjSJFMKOkun1bm+4700SZvuBX2Go02jK8gumpv
         f7blv73QuBc8flHdkhrSClPwrDBB5YwbdmdTp7DqJtj+8WwtQEWNjQ0CoOLxZ3ir11qr
         xmj/wG7EUCqBgsOGPy0Z6J3KjF8g1RZ/sXFmg2fW1fE2HDFfRL3YPNVHTsHzDnJq3x5Z
         yd9lEysckovLHrG+EAOQuRJN+5xzz/FeFHfDT5qpjK4gm+y5F7pWa1FGlB3sh3/DrFBk
         7hDQ==
X-Gm-Message-State: AEkoousESV57fJHOSWjQ5aRZwwK154fTS+EUAimKQLuKl60ctSk/tm+XCpWhSU3UuMJpXQ==
X-Received: by 10.28.182.84 with SMTP id g81mr16106736wmf.20.1469653074077;
        Wed, 27 Jul 2016 13:57:54 -0700 (PDT)
Received: from [192.168.1.5] ([95.148.161.240])
        by smtp.googlemail.com with ESMTPSA id v189sm39997807wmv.12.2016.07.27.13.57.53
        for <internals@lists.php.net>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 27 Jul 2016 13:57:53 -0700 (PDT)
To: internals@lists.php.net
References: <CAEDdnaWVYbh=t1-bvDh9fixCoC7Be4asoEus=dRhGggx_9VLNg@mail.gmail.com>
 <CAObuZdvy9F3sLu=MArNEvh3ZxFkZ=byb7UbH0Gaw2sx=C0QRzw@mail.gmail.com>
 <CAEDdnaV8Qaoib6=v+NBCYYymtQQgyr28qryJ1dBHhVsXqWu5kA@mail.gmail.com>
 <4920f683-9a4d-7153-b157-a7d7ce8cbfe7@gmail.com>
 <933449d0-90c2-0d7a-cb80-a171289d8286@texthtml.net>
 <CAGovj_PiUjJmAncZjrtTiJmBTmuwA1MgfpjwpkKWdp_NHPekpw@mail.gmail.com>
 <CAEDdnaWEwNH-+kOxPk2GDqRod90kOqbT1yGHkOMqx5L9AXRaLA@mail.gmail.com>
 <CAEDdnaVrAvMHzj=bxhp9fOEFRgJ3rY9Tn9XP0oPfYZ0EU-RrjA@mail.gmail.com>
 <20160724145557.D52C31A80BBD@dd1730.kasserver.com>
 <6cfac572-9982-87f8-5a55-9213d978cde9@gmx.de>
 <20160724162103.BC5741A83512@dd1730.kasserver.com>
 <efdfdd99-77d9-f722-7000-13b4528dd77c@gmx.de>
 <20160724172131.675AC1A800B0@dd1730.kasserver.com>
 <9bc0db6a-fa19-5f87-0e82-3702dcb34254@gmx.de>
 <CAEDdnaWm-fUoBRdrce=DF8By6ybkTe_ca_niV2xdQp4yecU6Rw@mail.gmail.com>
 <CAEDdnaVx2Rx0pe+ZCzP=rpWW8OiQ73opmRhLCho_MwV1NRAiaw@mail.gmail.com>
Message-ID: <ebfd0e1b-049f-d38b-7de8-62a98c1c2376@gmail.com>
Date: Wed, 27 Jul 2016 21:57:45 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CAEDdnaVx2Rx0pe+ZCzP=rpWW8OiQ73opmRhLCho_MwV1NRAiaw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping
From: rowan.collins@gmail.com (Rowan Collins)

On 26/07/2016 14:15, Michael Vostrikov wrote:
> Ok. Just ask you, why people ask the same question again since the time PHP
> was created? Why almost all feature requests mentioned in RFC are about an
> easy way to call htmlspecialchars()? You can vote up or down, I just want
> to get an official result about this feature. I think, it can be considered
> as official answer to community, to those people from community who would
> like to use default escaping mechanism in PHP.

Hi Michael,

I think you and I are mostly going in circles at this point, so I'm 
going to refrain from blow-by-blow responses and sum up my thinking on 
this RFC.

Overall, I think there is some merit to the idea, but I think the detail 
is important.

The aim in my mind would be to make escaping easier to do right, for 
people who aren't already using a framework or templating engine with 
its own solution.

- Without an actual implementation, the feature wouldn't be useful to 
those people.
- Configurability should be a long way down the list of priorities, for 
the same reason.
- I think contexts other than HTML should be included to remind users 
that they exist, but HTML could be the default.
- Contexts should be stackable/nestable, *without the user writing any 
extra code*.
- The syntax should be easy to read as well as easy to write. How easy 
it is to implement is a low priority.

The current implementation doesn't seem to share these priorities; it 
feels like a building block for framework developers, who probably have 
their own solutions already.


A few mentions have been made of Twig, which is known for its 
comprehensive escaping support; it goes a lot further than the fact that 
"|e" is an alias for "|escape('html')":

- you can define automatic escaping for a whole file or a block within a 
file
- there is an extra filter to skip the automatic escaping (not the same 
as unescaping)
- the above can be done with any "context", but the default is HTML
- a "context" is not just the argument to a single all-powerful "escape" 
function; you can register a new context by name, without reimplementing 
any of the existing functionality
- other template functions can say that their output shouldn't be 
escaped, or that their input should be pre-escaped
- other functionality of the system is aware of these notions, and 
designed to behave sensibly

I don't think there's any way PHP can ever reach that level of 
sophistication, because most of the language knows nothing about 
"context"; the feature we build in is only ever going to be a simple 
short-hand for some basic function calls.


In many ways, defining a built-in function e($string, $context) would 
fulfil most of the above. A dedicated syntax might make it a little 
easier to type, and could handle nested contexts more elegantly. The 
ability to register additional contexts and take advantage of the syntax 
and nesting could be a simple addition. Any more complicated than that, 
and you're fighting a losing battle against dedicated templating engines.

That's my opinion, anyway. It is just an opinion, and you're free to 
disagree with it, but hopefully my reasoning is clear.

Regards,

-- 
Rowan Collins
[IMSoP]