On Fri, Jul 1, 2016 at 10:51 AM, Михаил Востриков < michael.vostri...@gmail.com> wrote:
> > I can easier add a new template to e.g. a Laravel > > project (own parser, own extension, living next to existing blade > templates) > > Your project already has a template engine, and framework has common code > which works with such engines. > But how much time do you need to convert all existing templates to a new > TE? > > I mean the projects without template engine, which work and are developed > every day. > Their number is rather large - various CMSs, projects with custom core, Yii > and Zend don't have TE by default. > In a big project there are a lot of PHP templates with <?= htmlspecialchars > ?> or <?= h() ?> or <?= (int)$some_id ?> everywhere. > If we miss this somewhere, we could got an XSS. > > > 2016-07-01 12:53 GMT+05:00 Markus Fischer <mar...@fischer.name>: > > > On 01.07.16 05:34, Михаил Востриков wrote: > > > Because it is almost impossible to add template engine in a big project > > > with PHP templates. But new version of language usually can easily be > > used. > > > > I interpret "But new version of language usually can easily be used" as > > in a new PHP version being installed on a server touted as being > > "easier" than changing/replaced/adding a new template language component > > with a framework? > > > > I object to this. I can easier add a new template to e.g. a Laravel > > project (own parser, own extension, living next to existing blade > > templates) then switching to a new PHP version on production servers. > > > > - Markus > > > > -- > > PHP Internals - PHP Runtime Development Mailing List > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > In a big project there are a lot of PHP templates with <?= htmlspecialchars ?> or <?= h() ?> or <?= (int)$some_id ?> everywhere. How will a new output operator help in this case? You still have to search for `<?=`, `<? echo`, `<? print` occurrences and replace them with `<?~`. Saying that one can forget to add `<?= h()` can be applied to `<?~` as well, you can miss `<? echo` somewhere in a template and get the same result at the end. -- Thank you and best regards, Eugene Leonovich
