> It's not that difficult to write a static analyser that detects
> instances of "<?=" not followed by "h(" or "e(" or whatever.
<?* and <?= are same for all applications, h() is user-defined. So you need to
write a different analyzer for every application if you use h() or e().
> Surely the feature gets most of its value from what you *don't* need to
> do - which is why I think it's bizarre that the current version doesn't
> even have a built-in HTML escaper at all.
I think it's no problem to have a follow-up rfc defining some default escapers.
> It's not possible for multiple frameworks or libraries to declare
> different escape handlers in your proposal, either.
not sure I get your point?
public function render($template) {
set_escape_handler(['SomeClass', 'methodName']);
ob_start();
include $template;
$content = ob_get_clean();
restore_escape_handler();
return $content;
}
> You could equally say, "with <?=e()?> you have to define an e()
> function". The main effort is remembering to use the right syntax, which
> you have to do either way.
the thing here is that people can use <?= without e() and save coding time.
Security cannot be optional, see.
git clone https://github.com/phpmyadmin/phpmyadmin.git
git log | grep -i xss | wc -l
206
Regards
Thomas
Rowan Collins wrote on 24.07.2016 18:39:
> On 24/07/2016 17:21, Thomas Bley wrote:
>>> <?* $str ?>
>>>
>>> instead of
>>>
>>> <?=h($str)?>
>> benefits are using static code analyzers, grep "<?=" for code reviews, etc.
>
> It's not that difficult to write a static analyser that detects
> instances of "<?=" not followed by "h(" or "e(" or whatever.
>
>
>> Having function names with single characters is bad taste and only useful for
>> obfuscating.
>
> And having a token "*" that calls a different function in every
> application is somehow less obfuscated?
>
>
>> Using multiple frameworks or libraries, it's not possible to redeclare
>> functions with the same name.
>
> It's not possible for multiple frameworks or libraries to declare
> different escape handlers in your proposal, either.
>
>
>> The big difference is:
>> With <?*, you have to define an escaping function, with <?= it's optional.
>
> You could equally say, "with <?=e()?> you have to define an e()
> function". The main effort is remembering to use the right syntax, which
> you have to do either way.
>
> Surely the feature gets most of its value from what you *don't* need to
> do - which is why I think it's bizarre that the current version doesn't
> even have a built-in HTML escaper at all.
>
> Regards,
> --
> Rowan Collins
> [IMSoP]
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
