Hello. I've created an article on russian technical site habrahabr.ru. https://habrahabr.ru/post/304162/
There is a poll about introducing of such operator. About 60% from those people who have projects without template engine are "for" this operator. And even a half of those who don't also think that such operator can be useful. I think you can use Google Translate to read it, common sense and code examples should be understandable. https://translate.google.com/translate?sl=en&tl=ru&js=y&prev=_t&hl=ru&ie=UTF-8&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F304162%2F&edit-text=&act=url Current results: How often do you work with the projects with template rendering on PHP where template engines are not used? 35% (163) Always 22% (104) Quite often 18% (86) Quite rare 25% (117) Almost never Voted 470 people. Abstained 116 people. How do you think, such an operator would be useful? 56% (264) Yes 44% (207) No Voted 471 people. Abstained 121 people. I don't use PHP teplate rendering ... 51% (147) and I think that such an operator is not needed 49% (139) but I think that such an operator will come in handy Voted 286 people. Abstained 247 people. Screenshot in Russian: https://habrastorage.org/files/675/9ac/883/6759ac8834044ef0b5a09163c791f376.png 60% are "for" this operator, projects of others 40% will not be affected. I think this is a good reason to create an RFC and discuss it on more global level. 2016-06-21 9:51 GMT+05:00 Михаил Востриков <michael.vostri...@gmail.com>: > > So, not needed in all 3 cases then... > So, we can still use <?= operator. > > > >> Imagine that urlencode does not encode quotes - what function should we > >> call for its result? > > Ideally, an escape filter that performs both functions; if the aim is to > make things easier > No. The second function really depends on context, but HTML context is > always present. The aim is to create a shortcut for HTML escaping, decrease > copy-paste, and increase security. > > > > I shouldn't need to think about the need to nest two escape functions. > > the claim of "secure by default" doesn't really stand up. > This is about super-universal-operator. I did not suggest "secure by > default". As Thomas said, this is just an alias, not more, not less. > > > > <script>$('[data-thing-id="<?~ $thing['name'] ?>]').on('click', > function(){doThing('<?~ $thing['name'] ?>'});</script> > > I'm pretty sure the tempting syntax is actively harmful in that > situation... > You should not call htmlspecialchars inside script tags, even without <?~ > operator. Because this is not an HTML context. > > > > HackLang's XHP is another - rather than thinking about escaping as an > action > > If the compiler could look at my previous example and recognise the > attribute, URL, script, and text contexts itself > This is very complex solution, and it can make some issues with > performance. Also, as I understand, it just calls htmlspecialchars. > https://github.com/facebook/xhp-lib/blob/master/src/core/XHP.php#L68 > https://github.com/facebook/xhp-lib/blob/master/src/html/Element.php#L122 > > > > what is the correct escape method for an attribute named "data-my-action" > It should be HTML-encoded, because it is HTML markup. > > > > And that is exactly the problem. Inventing operators to alias one > > invocation of one function with one specific set of parameters is not a > > good idea, unless there is a *VERY* good reason to do it. > The call of htmlspecialchars is very frequent case, specific set of > parameters (HTML context) is always present. Is it a very good reason? > > > > And the case for this specific piece of code to deserve its own operator > is rather weak. > Why do you think so, why is it weak?) As I showed, HTML context is always > present, even if we write inline javascript in 'onclick' attribute. > This is not another context, there are 2 contexts together, and there is > no needs to determine it inside compiler - one context is always here. > So, it deserve its own operator. > > > > Let's summarize. > > We must not call htmlspecialchars() in the following cases: > > Inside <style> tag > This is very specific case. CSS is usually stored in static files. > > Inside <script> tag > This is more frequent case, but usually it is used when we need to pass a > big object from PHP into Javascript. And here is not just escaping, here is > a special notation - JSON. > For small pieces of data JSON also can be used, but it's better to use > data-attributes. And here we need to call htmlspecialchars. > > Text files > Text files with PHP processing can be used in code generators. Standart > <?= operator is enough here. > > Any other cases and their combinations are very specific. For XML > htmlspecialchars is also enough. > > So, my question is - can I create an RFC or there are any arguments > against? I think I explained why all arguments above are unsuitable. > > > > > 2016-06-21 4:35 GMT+05:00 Stanislav Malyshev <smalys...@gmail.com>: > >> Hi! >> >> > As mentioned a few times in this thread, <?~ is an alias for <?= >> htmlspecialchars(, not more, not less. >> >> And that is exactly the problem. Inventing operators to alias one >> invocation of one function with one specific set of parameters is not a >> good idea, unless there is a *VERY* good reason to do it. And the case >> for this specific piece of code to deserve its own operator is rather >> weak. >> >> -- >> Stas Malyshev >> smalys...@gmail.com >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> >
