I think having the behaviour of language features depend in an incompatible
way on a global runtime setting is a bad idea because it creates nonlocal
effects and means code cannot be realiably composed. Effectively, every
function and method will have an implicit assumption about whether or not
it is supposed to be called "during templating" i.e. with __auto_escape set
to 0 or 1. If you are *very* careful to separate your "templating" code
from the rest of your code and not to call either from the other, I guess
it would work, but it creates a burden on the programmers I'd rather them
not have. Without this setting, I know I always need to do <?= to_html(
$text ) ?>. Easy. But now to figure out whether I need to escape my HTML or
not I have traverse the call graph to try to figure out what the value
of __auto_escape is going to be at *runtime*. Eugh.
On Mon, Mar 21, 2016 at 6:28 PM, Daniel Beardsley <dan...@ifixit.com> wrote:
> > The similarity is that magic quotes assumed that the input data was
> going to
> > be embedded within an SQL query without escaping, and therefore needed
> > escaping. Of course that's an invalid assumption, the input data could be
> > re-rendered, processed in some arbitrary way, written to a file, sent in
> an
> > email, to another web service, etc etc.
> >
> > This feature makes a similar assumption about output, rather than input.
> > Specifically, it assumes that the output is HTML, and what is being
> echoed
> > hasn't already been escaped and therefore needs to be escaped.
>
> True, but the difference is that safety is the default instead of
> the exception. Every system has an assumption. It's better that
> mistakes about escaping cause double-escaped html than
> an XSS hole.
>
> > that's an invalid assumption, command line scripts do echo/print of plain
> > text, and I've seen PHP scripts generate JSON (eg a web service),
> > JavaScript, CSS and plain text via the output buffer. Not to mention
> > anything could so
>
> I'm sorry, I wasn't clear in the RFC. This feature is meant to only be
> turned on during template rendering (imagine you have a Template
> class):
>
> function render() {
> set_ini('__auto_escape', 1);
> require $this->templatePath;
> set_ini('__auto_escape', 0);
> }
>
