> For instance:
> // file1.php
> set_escape_handler('e', 'html_entities_encode');
> // file2.php
> set_escape_handler('e', 'my_own_encode');
> // file3.php
> <?* $value, 'e' ?>
>
> If file1.php includes file3.php, it should use first implementation.
> If file2.php does that, so will run the second implementation. I can't
> control from it come.
> If file1.php includes file2.php, what should happen? error? override?
What is the difference from function e() ? What should happen - error or
override?
And as I wrote in previous message:
"Maybe more better way is to make it similar to set_error_handler() - not
for context as it is in RFC, but for 'escape' callable.". So in your
example set_escape_handler() should be used as
"set_escape_handler('my_own_handler')". If you will perform error or
override is up to you.
> It is a string too, instead of an identifier like in <?* $value, escape ?>
> ... IDE will have problem by identify where you have defined it
It should not be identifier or single function name, because in this way we
could not use closures or object methods ($this->escape) for escaping.
Context should be an expression, like it is done in template engines. So,
no problems with IDE.
> Currently I could do it like: <?= echo clamp($value, 5, 25, true); ?>.
How you can do that on your case?
This is not a task of escaping. This is a logic (business logic or
presentation logic).
> current escape methods seems be more eficient and without create a new
operator, like: <?php e($value); ?>
The problem is not that we don't have a function, the problem is that we
must copy-paste it everywhere, and if we forget to do it, we will get an
XSS.
> This is the part I don't get. How does "using an operator everywhere"
remove the effort of "using a function everywhere"? It's the same effort in
both cases.
"using an operator everywhere" and "using an operator + function
everywhere, especially if the operator itself works good but is unsafe".
> If somebody can't type "e(" and ") without copying and pasting, then
they're going to have a hard time writing any meaningful code.
What is the difference how he wrote 'e()' ? It may be 'ctrl-c-ctrl-v',
'ctrl-insert-shift-insert', 'e-shift-(-)'. The result is the same - this is
a copied code.
> More flexible to what end? Why do I need to be able to dynamically define
arbitrarily complex expressions as the filter name?
To the case when we write escapers statically. Twig allows to pass a
context as a variable, why it is needed to specially restrict escaping
mechanism in PHP? We don't know all possible tasks which can require
additinal escaping together with HTML.
> With this on the function set for filter will be invoked on the output of
any echo statement or the shortcode for it.
> When raw output is still needed allow print() to output the content
bypassing any declared filters for the file.
This will require a lot of changes it the language. For now, 'print',
'echo', <?= $a, $b ?>, <div></div> output a value via echo opcode.
