On 26/07/2016 14:15, Michael Vostrikov wrote:
Ok. Just ask you, why people ask the same question again since the time PHP
was created? Why almost all feature requests mentioned in RFC are about an
easy way to call htmlspecialchars()? You can vote up or down, I just want
to get an official result about this feature. I think, it can be considered
as official answer to community, to those people from community who would
like to use default escaping mechanism in PHP.
Hi Michael,
I think you and I are mostly going in circles at this point, so I'm
going to refrain from blow-by-blow responses and sum up my thinking on
this RFC.
Overall, I think there is some merit to the idea, but I think the detail
is important.
The aim in my mind would be to make escaping easier to do right, for
people who aren't already using a framework or templating engine with
its own solution.
- Without an actual implementation, the feature wouldn't be useful to
those people.
- Configurability should be a long way down the list of priorities, for
the same reason.
- I think contexts other than HTML should be included to remind users
that they exist, but HTML could be the default.
- Contexts should be stackable/nestable, *without the user writing any
extra code*.
- The syntax should be easy to read as well as easy to write. How easy
it is to implement is a low priority.
The current implementation doesn't seem to share these priorities; it
feels like a building block for framework developers, who probably have
their own solutions already.
A few mentions have been made of Twig, which is known for its
comprehensive escaping support; it goes a lot further than the fact that
"|e" is an alias for "|escape('html')":
- you can define automatic escaping for a whole file or a block within a
file
- there is an extra filter to skip the automatic escaping (not the same
as unescaping)
- the above can be done with any "context", but the default is HTML
- a "context" is not just the argument to a single all-powerful "escape"
function; you can register a new context by name, without reimplementing
any of the existing functionality
- other template functions can say that their output shouldn't be
escaped, or that their input should be pre-escaped
- other functionality of the system is aware of these notions, and
designed to behave sensibly
I don't think there's any way PHP can ever reach that level of
sophistication, because most of the language knows nothing about
"context"; the feature we build in is only ever going to be a simple
short-hand for some basic function calls.
In many ways, defining a built-in function e($string, $context) would
fulfil most of the above. A dedicated syntax might make it a little
easier to type, and could handle nested contexts more elegantly. The
ability to register additional contexts and take advantage of the syntax
and nesting could be a simple addition. Any more complicated than that,
and you're fighting a losing battle against dedicated templating engines.
That's my opinion, anyway. It is just an opinion, and you're free to
disagree with it, but hopefully my reasoning is clear.
Regards,
--
Rowan Collins
[IMSoP]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
