On 24/07/2016 10:42, Michael Vostrikov wrote:
It is a string too, instead of an identifier like in <?* $value, escape ?>
... IDE will have problem by identify where you have defined it
It should not be identifier or single function name, because in this way we
could not use closures or object methods ($this->escape) for escaping.
Context should be an expression, like it is done in template engines. So,
no problems with IDE.
register_escape_handler('foo', [$this, 'escape']);
<?*foo= $something ?>
Where's the problem?
If you mean you want to be able to pass an actual callable as the
context, what would be the point? Why would I ever write this:
<?* $something, [$this, 'escape'] ?>
when I could just write this:
<?= $this->escape($something) ?>
This is the part I don't get. How does "using an operator everywhere"
remove the effort of "using a function everywhere"? It's the same effort in
both cases.
"using an operator everywhere" and "using an operator + function
everywhere, especially if the operator itself works good but is unsafe".
Sorry, I still don't get it. <?= will still "work good but be unsafe" no
matter how the correctly-escaped version looks. When somebody's typing
code into their PHP "template" file, they've got to remember which
symbols to type; they don't care if those symbols are an operator, a
function, or a magic incantation. Look at the Wordpress documentation,
it talks about "tags", which any programmer immediately recognises as
function calls.
So to a novice writing templates, it doesn't really matter if you say
the incantation to output a variable is "<?= e($" followed by the
variable name and ")?>", or "<?* $" followed by the variable name and
"?>". One is 3 characters shorter, but that is the sole difference in
terms of effort.
If somebody can't type "e(" and ") without copying and pasting, then
they're going to have a hard time writing any meaningful code.
What is the difference how he wrote 'e()' ? It may be 'ctrl-c-ctrl-v',
'ctrl-insert-shift-insert', 'e-shift-(-)'. The result is the same - this is
a copied code.
Huh? Is the word "I" copied in this e-mail, because the English language
requires me to write it more than once? And if "e(" is "copied code",
how is the "*" in "<?*" not also "copied code"?
I get it, if you are talking about having to type "htmlspecialchars()"
the whole time, but I stand by my assertion that anyone put off by
typing "e()" is beyond hope.
More flexible to what end? Why do I need to be able to dynamically define
arbitrarily complex expressions as the filter name?
To the case when we write escapers statically. Twig allows to pass a
context as a variable, why it is needed to specially restrict escaping
mechanism in PHP? We don't know all possible tasks which can require
additinal escaping together with HTML.
Twig allows you to register a named "strategy" to a single callable,
exactly as I am suggesting:
http://twig.sensiolabs.org/doc/filters/escape.html#custom-escapers This
is much more useful than a single callback that has to handle all
possible strategies.
You're right that Twig allows you to use a variable as the escaping
strategy, although it warns that doing so defeats the intelligence of
its auto-escaping mechanism. But this could still be done without
allowing arbitrary expressions, or embedding syntax inside the strategy
argument:
<?*$strategy*html= $text ?>
We don't need to handle all possible things that anyone might ever want
to do. If they're doing something complex, they can implement their own
way of doing it - probably by writing a templating engine, or using one
of the many that already exist.
Regards,
--
Rowan Collins
[IMSoP]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
