Re: [PHP-DEV] New escaped output operator

On Sun, Jun 19, 2016 at 6:53 PM, Михаил Востриков < michael.vostri...@gmail.com> wrote: > Please give me RFC karma. My wiki account is "michael-vostrikov". I plan to > create an RFC for this feature. > > hi, I've just granted you with rfc karma on the wiki. -- Ferenc Kovács @Tyr43l - http://ty

Re: [PHP-DEV] New escaped output operator

> How will a new output operator help in this case? > You still have to search for ` Saying that one can forget to add ` you can miss `, and others usually are safe in current code. But we need to write new code for new functionality in a project. Let's say we've added new column in database, and

Re: [PHP-DEV] New escaped output operator

All, Anybody can write an RFC and call a vote whenever they want within the guidelines set forth for RFCs. It would be much more productive to get the RFC written and to provide suggestions on improvements (e.g. syntax choice, default options, ways to customize), rather battling against it. Or st

Re: [PHP-DEV] New escaped output operator

On Fri, Jul 1, 2016 at 10:51 AM, Михаил Востриков < michael.vostri...@gmail.com> wrote: > > I can easier add a new template to e.g. a Laravel > > project (own parser, own extension, living next to existing blade > templates) > > Your project already has a template engine, and framework has common

Re: [PHP-DEV] New escaped output operator

> I can easier add a new template to e.g. a Laravel > project (own parser, own extension, living next to existing blade templates) Your project already has a template engine, and framework has common code which works with such engines. But how much time do you need to convert all existing template

Re: [PHP-DEV] New escaped output operator

On 30/06/16 23:46, Thomas Bley wrote: >> What for? > is easy to verify > > is not easy to verify But a fixed version of http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw

Re: [PHP-DEV] New escaped output operator

On 01.07.16 05:34, Михаил Востриков wrote: > Because it is almost impossible to add template engine in a big project > with PHP templates. But new version of language usually can easily be used. I interpret "But new version of language usually can easily be used" as in a new PHP version being inst

Re: [PHP-DEV] New escaped output operator

> If you're answer for the other contexts is to use a template engine, > why is the answer for this not to use a template engine? > You want to add this because people don't use template engine, > so what makes you think they will use this when there is a valid solution already available? Because

Re: [PHP-DEV] New escaped output operator

> What for? is easy to verify is not easy to verify Regards Rasmus Schultz wrote on 30.06.2016 22:27: > I wish you'd think about the bigger issue of autoloading functions, > which would solve this and many similar problems much more generally. > > I mean, this: > > > > versus this: > >

Re: [PHP-DEV] New escaped output operator

On Thu, Jun 30, 2016 at 1:35 PM, Михаил Востриков < michael.vostri...@gmail.com> wrote: > > > - Other people will ask about operator for another context > And you can say: We already added an operator for the main web context, > because it is the most frequently used context. If you have a lot of

Re: [PHP-DEV] New escaped output operator

I wish you'd think about the bigger issue of autoloading functions, which would solve this and many similar problems much more generally. I mean, this: versus this: What for? I don't see the point in inventing new syntax, and introducing a new concept, for what is effectively just a limited

Re: [PHP-DEV] New escaped output operator

I would prefer to have ENT_HTML5 as the default flag included, since normally all new html code is html5. Maybe split voting between I've tried to gather all arguments for and against. > > To be clear. I suggest new operator like '' which is > equivalent of . > It is only for HTML context. Flag

Re: [PHP-DEV] New escaped output operator

I've tried to gather all arguments for and against. To be clear. I suggest new operator like '' which is equivalent of . It is only for HTML context. Flag combination is taken from most popular frameworks - Symfony, Zend, Yii, and Twig. Of course, exact form of operator and default flags are the d

Re: [PHP-DEV] New escaped output operator

Hello. I've created an article on russian technical site habrahabr.ru. https://habrahabr.ru/post/304162/ There is a poll about introducing of such operator. About 60% from those people who have projects without template engine are "for" this operator. And even a half of those who don't also think

Re: [PHP-DEV] New escaped output operator

> So, not needed in all 3 cases then... So, we can still use > Imagine that urlencode does not encode quotes - what function should we >> call for its result? > Ideally, an escape filter that performs both functions; if the aim is to make things easier No. The second function really depends on cont

Re: [PHP-DEV] New escaped output operator

Hi! > As mentioned a few times in this thread, htmlspecialchars(, not more, not less. And that is exactly the problem. Inventing operators to alias one invocation of one function with one specific set of parameters is not a good idea, unless there is a *VERY* good reason to do it. And the case f

Re: [PHP-DEV] New escaped output operator

Of course you can make the discussion endless by mentioning escaping of all kinds of third party frameworks like jQuery, but that's a bit off-topic here. As mentioned a few times in this thread, ... when I click reply :) Rowan Collins wrote on 21.06.2016 00:00: > On 20 June 2016 17:40:05 GMT+0

Re: [PHP-DEV] New escaped output operator

On 20 June 2016 17:40:05 GMT+01:00, "Михаил Востриков" wrote: >Actually, htmlspecialchars() is needed in all three cases: ... >You may not write htmlspecialchars together with urlencode just because >urlencode encodes all special characters with its own way. So, not needed in all 3 cases then...

Re: [PHP-DEV] New escaped output operator

On 20.06.2016 at 19:19, Rasmus Schultz wrote: >> [1] > > beauty! when can we have that?? :-) Maybe never, but at least somebody would have to pursue the RFC. See also the related discussion from 2013, starting with

Re: [PHP-DEV] New escaped output operator

> [1] beauty! when can we have that?? :-) -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] New escaped output operator

A "filter" is just a function - the difference is just global state indicating the current "default" function, which I think is a very bad idea. Just alias function calls as closures: $html = function ($str) { return htmlspecialchars($str); }; // "default filter" $attr = function ($str) { ... } /

Re: [PHP-DEV] New escaped output operator

On 18.06.2016 at 17:44, Rasmus Schultz wrote: >> Add a couple parens and its completely implementable in userland > > If we could autoload functions, I bet that's what everyone would be doing. FWIW, there is an respective RFC draft[1] "lying around". See also . [1]

Re: [PHP-DEV] New escaped output operator

On 20/06/16 16:51, Rasmus Schultz wrote: > If you're curious: https://github.com/mindplay-dk/kisstpl https://github.com/bitweaver ... couple of thousand templates with my personal extensions ... which I would not even consider rewriting and time soon. Moving from Smarty2 to 3 was bad enough ... an

Re: [PHP-DEV] New escaped output operator

Davey > - https://marc.info/?t=14585132381&r=1&w=2 — automatic template escaping > - https://marc.info/?t=13508266062&r=1&w=2 — this one even proposed the same syntax! > - https://marc.info/?t=14422554601&r=1&w=2 — tainted variables also "solves" this problem These discussions and arg

Re: [PHP-DEV] New escaped output operator

2016-06-20 17:51 GMT+02:00 Rasmus Schultz : > > My PHP is augmented with Smarty so I know which are template files and > > which are program code :) > > I name my template files "*.view.php", so I know which is which. > > I also head off every file with /** @var MyViewModel $view */ for IDE > supp

Re: [PHP-DEV] New escaped output operator

On 06/20/2016 10:24 AM, Rasmus Schultz wrote: There are three different escape mechanism needed there; if there is a shorthand for one, do you think it will be more likely or less that people will get the other two right? I have to agree with that - assigning special syntax to one kind of

Re: [PHP-DEV] New escaped output operator

> My PHP is augmented with Smarty so I know which are template files and > which are program code :) I name my template files "*.view.php", so I know which is which. I also head off every file with /** @var MyViewModel $view */ for IDE support and inspections with CS/MD/phan, etc. If you're curi

Re: [PHP-DEV] New escaped output operator

On 20/06/16 16:24, Rasmus Schultz wrote: > (and please, nobody say "use a template engine" - I *am* using a > template engine, it's called PHP!) My PHP is augmented with Smarty so I know which are template files and which are program code :) -- Lester Caine - G8HFL - C

Re: [PHP-DEV] New escaped output operator

> > > > > > > There are three different escape mechanism needed there; if there is a > shorthand for one, do you think it will be more likely or less that people > will get the other two right? I have to agree with that - assigning special syntax to one kind of escape-function gives that func

Re: [PHP-DEV] New escaped output operator

to make it more clear: is a shortcut for: Using 2016-06-20 11:12 GMT+02:00 Lester Caine : > >> On 20/06/16 07:00, Niklas Keller wrote: >> >> Now ... I want to add content that includes >> >> > it needs to be in the format >> >> >