Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94749
Return-Path: <michael.vostrikov@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 65809 invoked from network); 30 Jul 2016 06:06:08 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Jul 2016 06:06:08 -0000
Authentication-Results: pb1.pair.com smtp.mail=michael.vostrikov@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=michael.vostrikov@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.180 as permitted sender)
X-PHP-List-Original-Sender: michael.vostrikov@gmail.com
X-Host-Fingerprint: 209.85.216.180 mail-qt0-f180.google.com  
Received: from [209.85.216.180] ([209.85.216.180:34018] helo=mail-qt0-f180.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D1/30-63489-FC34C975 for <internals@lists.php.net>; Sat, 30 Jul 2016 02:06:08 -0400
Received: by mail-qt0-f180.google.com with SMTP id u25so79204255qtb.1
        for <internals@lists.php.net>; Fri, 29 Jul 2016 23:06:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:cc;
        bh=ERL7zQi8oyJ3YjltHjiKYB2kp2Q8Tm+qJXCG8cchfdk=;
        b=k7Fga9nT38S4opIuLcqIqeB+j9+S9aZxlUKumh3MVZsWxRX8gdVouwZI86//bo994J
         6ArG+uJFsh2wCyX0ApwldEa90r4ET3HzEuD2a1MwEG4wn8Ufa8NU/gSgai8aSvd1N7si
         pootr0VHAS5Ac2G0GEduRPoRT/pwqB5TVTFcjKGb7U0L/FbyZZQspCLXe1tDENswLjv7
         a+8tx43OYY0/DZfB0zK/rFArWCAseP3adFPWWTTjmmfUldfvgVbMcc42FHLnnn2b3Mab
         5/o+4hMpMy9S06QXTs9Efte6hcY1xVuvVLIsmSxyPPk8U2L3jcG74ghSyLDc3sw34fyd
         QnNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:cc;
        bh=ERL7zQi8oyJ3YjltHjiKYB2kp2Q8Tm+qJXCG8cchfdk=;
        b=KzXv8ea3df96GtmImOYm54om1CenmtaEMrwj6fWe1CL8F4Owis+i9RH/InFCZeueod
         z5aftQxX0UsT5ecaF9DfE18ikSaYUK9+3Z3QbpgrCoOcoJnQUEUrH/Xg/5qH6Amv8+RO
         qyccoTnrh5VIf3xzv9N/Bl8RvATjm1rXJFV1lhd1zlxGEjcoQcSzkf+iuk6vkEj4n0KS
         8g9n6qbAS69hlJe4feFz5wjZj3hyyYYIhd4Exx7vxpfo70TnPS9/uZo3/EtlATxqR/DP
         hPKQlOgxais3aEmCYu0IqDmoKDGjZ3RKDunCa69DcDz1M1M6xAls/trU+aBnFLFL5OOy
         3n/A==
X-Gm-Message-State: AEkoouvRqmbwAEqfk4gx6upBItx8Cvu8jmSrM8cJrc/zFK1Gyws4z519th7b+0pDaZAQhtYkgDegq9ifPyreEw==
X-Received: by 10.237.59.161 with SMTP id r30mr68320306qte.22.1469858765178;
 Fri, 29 Jul 2016 23:06:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.189.135 with HTTP; Fri, 29 Jul 2016 23:06:04 -0700 (PDT)
In-Reply-To: <CADqTB_jb9zTOiM7khjMVKRi9bV4AJ5E+tQTWvNEbW5RYVDmD2A@mail.gmail.com>
References: <CAEDdnaWVYbh=t1-bvDh9fixCoC7Be4asoEus=dRhGggx_9VLNg@mail.gmail.com>
 <933449d0-90c2-0d7a-cb80-a171289d8286@texthtml.net> <CAGovj_PiUjJmAncZjrtTiJmBTmuwA1MgfpjwpkKWdp_NHPekpw@mail.gmail.com>
 <CAEDdnaWEwNH-+kOxPk2GDqRod90kOqbT1yGHkOMqx5L9AXRaLA@mail.gmail.com>
 <CAEDdnaVrAvMHzj=bxhp9fOEFRgJ3rY9Tn9XP0oPfYZ0EU-RrjA@mail.gmail.com>
 <20160724145557.D52C31A80BBD@dd1730.kasserver.com> <6cfac572-9982-87f8-5a55-9213d978cde9@gmx.de>
 <20160724162103.BC5741A83512@dd1730.kasserver.com> <efdfdd99-77d9-f722-7000-13b4528dd77c@gmx.de>
 <20160724172131.675AC1A800B0@dd1730.kasserver.com> <9bc0db6a-fa19-5f87-0e82-3702dcb34254@gmx.de>
 <CAEDdnaWm-fUoBRdrce=DF8By6ybkTe_ca_niV2xdQp4yecU6Rw@mail.gmail.com>
 <CAEDdnaVx2Rx0pe+ZCzP=rpWW8OiQ73opmRhLCho_MwV1NRAiaw@mail.gmail.com>
 <20160727224510.7B80C1A80358@dd1730.kasserver.com> <20160728093917.5DCC51A82392@dd1730.kasserver.com>
 <a3299edc-3754-c8ba-0ff8-6cdf214c12ed@gmail.com> <CADqTB_jb9zTOiM7khjMVKRi9bV4AJ5E+tQTWvNEbW5RYVDmD2A@mail.gmail.com>
Date: Sat, 30 Jul 2016 11:06:04 +0500
Message-ID: <CAEDdnaWJbWoF6YkioafOTXtAXOK3dk3-bTO75q6Jtg6NpB-gRA@mail.gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=94eb2c1922a6918dbb0538d42998
Subject: Re: [PHP-DEV] [RFC] New operator for context-dependent escaping
From: michael.vostrikov@gmail.com (Michael Vostrikov)

--94eb2c1922a6918dbb0538d42998
Content-Type: text/plain; charset=UTF-8

> The aim in my mind would be to make escaping easier to do right, for
people who aren't already using a framework or templating engine with its
own solution.
> The current implementation doesn't seem to share these priorities; it
feels like a building block for framework developers, who probably have
their own solutions already.

No! You don't understand what I'm trying to explain. This feature will be
useful for ALL applications without template engine - frameworks, CMS,
custom core. You say that frameworks have their own solutions already. But
the problem IS NOT that we don't have a solution. PHP already has built-in
function htmlspecialchars(), Yii has Html::escape(), Zend has
$this->escape(). This is not the problem. The problem IS that developer
must call these functions everywhere manually.

<div>
    <div data-user-id="<?= Html::escape($profile->user->id) ?>">
        <?= Html::escape($profile->name) ?>
    </div>
    <div>
        <?= Html::escape($profile->description) ?>
    </div>
    <div>
        <?= Html::escape($profile->age) ?>
    </div>
    <div>
        <?= Html::escape($profile->position->name) ?>
    </div>
    <div>
        <?= Html::escape($profile->group->name) ?>
    </div>
    <div>
        <?= Html::escape($profile->organisation->address) ?>
    </div>
</div>

This is the same as calling constructor manually after every 'new'
statement: (new User)->__construct(...), (new Profile)->__construct(...).
We have special function '__construct', which is called automatically. I
suggest similar way for escaping. And because we cannot set the same magic
function name for all applications I suggest to do this by registering a
callable.
This is not intended for people who don't have escaping functions, this is
intended for people who already have escaping functions. RFC suggests the
way how to call these functions automatically. And people who don't have
escaping function may define it once, and it also will be called
automatically.



> - you can define automatic escaping for a whole file or a block within a
file
> - there is an extra filter to skip the automatic escaping (not the same
as unescaping)
> - the above can be done with any "context", but the default is HTML
> - a "context" is not just the argument to a single all-powerful "escape"
function; you can register a new context by name, > without reimplementing
any of the existing functionality
> - other template functions can say that their output shouldn't be
escaped, or that their input should be pre-escaped
> - other functionality of the system is aware of these notions, and
designed to behave sensibly

> I don't think there's any way PHP can ever reach that level of
sophistication, because most of the language knows nothing about "context";
the feature we build in is only ever going to be a simple short-hand for
some basic function calls.

Almost all of these points can be done with the system described in the
RFC. Application can allow or restrict new contexts (without reimplementing
any of the existing functionality). Any behavior can be defined in
userland, we just need a point of extension.

<?php
class CsvTemplate
{
    protected $escapers = [];


    function render()
    {
        set_escape_handler([$this, 'escape']);
        include $this->templateFile;
        restore_escape_handler();
    }

    function escape($str, $context = 'csv')
    {
        switch ($context) {
            case 'csv':
                return $this->escapeCsv($str);
            break;

            case 'raw':
                return $str;
            break;

            default:
                if (isset($this->escapers[$context])) {
                    return call_user_func($this->escapers[$context], $str);
                }

                throw new Exception('Unknown context');
            break;
        }
    }

    function setEscaper($context, $callable)
    {
        ...
    }
}
?>

header1;header2;
<?* $data['field1'] ?>;<?* (int)$data['field2'], 'raw' ?>;



> But secondly, because people are lazy, or misunderstand, or make mistakes
when they're in a hurry. Your RFC isn't going to magically fix all those
things.

It exactly is going to fix all those things. If people will use this
operator with HTML escaping by default, standard <?= ?> operator will not
be needed.



> Just a thought, but I can't help thinking that "improved escape
facilities and syntax" are a mere patch for a more than superficial problem.
> The problem of differentiating HTML strings, which to not require
escaping, from other string, which do, could actually be viewed as a deeper
problem, which is the inability to tell string types apart.
> /** @var string product description as HTML, do not escape this */
> public $description;

This is another problem, and it depends on your infrastructure or business
logic. Only your application or model knows what is stored in
'$description'. What if I have a site for learning HTML and my
'$description' contains an example with HTML, which should be HTML-encoded
on the page with a lesson, so that it will look like source code? This is
not a task of escaping system.



> And a more intelligent escape function, like:
>
>    typedef HTML extends string;
>
>    class ProductView
>    {
>        /** @var HTML product description */
>        public $description;
>    }
>
>    function html($str) {
>        return $str instanceof HTML ? $str : htmlspecialchars($str);
>    }

You can do this now by defining class 'HTML' with '__toString' method,
without any typedefs. What is the problem? And anyway you must call your
'html()' function everywhere, and this is the problem.

--94eb2c1922a6918dbb0538d42998--