On Mon, Mar 21, 2016 at 4:53 PM, Daniel Beardsley <dan...@ifixit.com> wrote:
> > This approach has the smell of magic quotes which we got rid of for > > very good reason. XHP is much more explicit in separating markup from > > data and relies far less (not at all when you do it right) on escape > > hatches. > > Huh, I don't see similarities to magic quotes at all. That had to do with > attempting to sanitize input data (plenty of problems with that). All > templating systems have a means of making the default output > mechanism perform escaping and a means of preventing that > escaping with, this adds the same for php templates. The similarity is that magic quotes assumed that the input data was going to be embedded within an SQL query without escaping, and therefore needed escaping. Of course that's an invalid assumption, the input data could be re-rendered, processed in some arbitrary way, written to a file, sent in an email, to another web service, etc etc. This feature makes a similar assumption about output, rather than input. Specifically, it assumes that the output is HTML, and what is being echoed hasn't already been escaped and therefore needs to be escaped. Of course that's an invalid assumption, command line scripts do echo/print of plain text, and I've seen PHP scripts generate JSON (eg a web service), JavaScript, CSS and plain text via the output buffer. Not to mention anything could so ob_start(); // ... echo $blah; // ... $foo = ob_get_clean(); or ob_start(); // ... ?>...<?= $blah ?>...<? // ... $foo = ob_get_clean(); and have an expectation about $foo.
