> In many ways, defining a built-in function e($string, $context) would
> fulfil most of the above.
If things are so easy, why does so much code exist with XSS problems?
Regards
Thomas
Rowan Collins wrote on 27.07.2016 22:57:
> On 26/07/2016 14:15, Michael Vostrikov wrote:
>> Ok. Just ask you, why people ask the same question again since the time PHP
>> was created? Why almost all feature requests mentioned in RFC are about an
>> easy way to call htmlspecialchars()? You can vote up or down, I just want
>> to get an official result about this feature. I think, it can be considered
>> as official answer to community, to those people from community who would
>> like to use default escaping mechanism in PHP.
>
> Hi Michael,
>
> I think you and I are mostly going in circles at this point, so I'm
> going to refrain from blow-by-blow responses and sum up my thinking on
> this RFC.
>
> Overall, I think there is some merit to the idea, but I think the detail
> is important.
>
> The aim in my mind would be to make escaping easier to do right, for
> people who aren't already using a framework or templating engine with
> its own solution.
>
> - Without an actual implementation, the feature wouldn't be useful to
> those people.
> - Configurability should be a long way down the list of priorities, for
> the same reason.
> - I think contexts other than HTML should be included to remind users
> that they exist, but HTML could be the default.
> - Contexts should be stackable/nestable, *without the user writing any
> extra code*.
> - The syntax should be easy to read as well as easy to write. How easy
> it is to implement is a low priority.
>
> The current implementation doesn't seem to share these priorities; it
> feels like a building block for framework developers, who probably have
> their own solutions already.
>
>
> A few mentions have been made of Twig, which is known for its
> comprehensive escaping support; it goes a lot further than the fact that
> "|e" is an alias for "|escape('html')":
>
> - you can define automatic escaping for a whole file or a block within a
> file
> - there is an extra filter to skip the automatic escaping (not the same
> as unescaping)
> - the above can be done with any "context", but the default is HTML
> - a "context" is not just the argument to a single all-powerful "escape"
> function; you can register a new context by name, without reimplementing
> any of the existing functionality
> - other template functions can say that their output shouldn't be
> escaped, or that their input should be pre-escaped
> - other functionality of the system is aware of these notions, and
> designed to behave sensibly
>
> I don't think there's any way PHP can ever reach that level of
> sophistication, because most of the language knows nothing about
> "context"; the feature we build in is only ever going to be a simple
> short-hand for some basic function calls.
>
>
> In many ways, defining a built-in function e($string, $context) would
> fulfil most of the above. A dedicated syntax might make it a little
> easier to type, and could handle nested contexts more elegantly. The
> ability to register additional contexts and take advantage of the syntax
> and nesting could be a simple addition. Any more complicated than that,
> and you're fighting a losing battle against dedicated templating engines.
>
> That's my opinion, anyway. It is just an opinion, and you're free to
> disagree with it, but hopefully my reasoning is clear.
>
> Regards,
>
> --
> Rowan Collins
> [IMSoP]
>
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
