Hi!
> True, but the difference is that safety is the default instead of
> the exception. Every system has an assumption. It's better that
This sounds as the major assumption is there's some procedure ("the
safety") that allows to render any output safe. This could not be more
wrong. Escaping is highly context-dependent, and without knowing
specific details of the context it is impossible to do proper escaping.
I do not see how by setting one flag you could provide proper context.
Moreover, one template may include multiple contexts.
> I'm sorry, I wasn't clear in the RFC. This feature is meant to only be
> turned on during template rendering (imagine you have a Template
> class):
I think there's assumption here templates only exist in one context or
at least allow user data only in one context. This is not true, of
course. But if it were true, this code would be trivial to make safe:
> function render() {
> set_ini('__auto_escape', 1);
> require $this->templatePath;
> set_ini('__auto_escape', 0);
> }
function render() {
ob_start();
require $this->templatePath;
echo magic_security_filter(ob_get_clean());
}
--
Stas Malyshev
smalys...@gmail.com
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
