> I think having the behaviour of language features depend in an incompatible > way on a global runtime setting is a bad idea because it creates nonlocal > effects and means code cannot be realiably composed.
This is probably the best argument against this RFC. Though how often that issue would come up... I have no idea. It hasn't yet in our usage (2 years) but we don't use that many external libraries during template rendering, at least none that have used their own templating. A potential solution is to create a new syntax like: <?E= or something but that of course has even more challenges and backward incompatability, unless it's done in an extension.. hmm. You would then have to prevent usage of <?= in templates with a pre-commit hook or add the check to your CI build. > Effectively, every > function and method will have an implicit assumption about whether or not it > is supposed to be called "during templating" i.e. with __auto_escape set to > 0 or 1. If you are very careful to separate your "templating" code from the > rest of your code and not to call either from the other, I guess it would > work, but it creates a burden on the programmers I'd rather them not have. I think I fail to see the burden. You write code as normal, it's always safe to <?= $anything ?> so no thought required there. When some template helper function generates html, it must tag it as such upon returning: return html($someHtmlStr) Perhaps I've never never had the need to use php's templating features to generate something other than HTML during our HTML template rendering phase. > Without this setting, I know I always need to do <?= to_html( $text ) ?>. > Easy. Sure, but that's a lot of ugly syntax and you'd have to enforce usage of that function with a regex in a pre-commit hook or a CI build to prevent dangerous mistakes. > But now to figure out whether I need to escape my HTML or not I have > traverse the call graph to try to figure out what the value of __auto_escape > is going to be at runtime. Eugh. Huh? I think I'm missing something, or my description wasn't clear enough. The point of *auto* is that you don't need to escape anything. Templates shouldn't need to include new HtmlString() nor htmlspecialchars(). Functions that generate html simply return an HtmlString object. The template will pass them straight through. Our methodology has been to mark content as HTML at the source (when it is generated, in small bits) and the downstream (the templates) don't have to care and can safely echo anything. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
