[PHP-DEV] [RFC] New operator for context-dependent escaping

2016-07-16 Thread Michael Vostrikov
Hello. I have created RFC about context-dependent escaping operator. https://wiki.php.net/rfc/escaping_operator Initial discussion was here: http://marc.info/?t=14661919911 At first, I wanted to add a call of special function like escaper_call($str, $context), which performs html-escaping by

Re: [PHP-DEV] [RFC] New operator for context-dependent escaping

2016-07-16 Thread Thomas Bley
if I see it correctly, this is just a framework for defining callbacks to a escaping operator, without a implementation of "html" and "js"? Not sure if this helps. Regards Thomas Michael Vostrikov wrote on 16.07.2016 17:33: > Hello. > I have created RFC about context-dependent escaping operator

Re: [PHP-DEV] [RFC] New operator for context-dependent escaping

2016-07-16 Thread Michael Vostrikov
> if I see it correctly, this is just a framework for defining callbacks to a escaping operator, without a implementation of "html" and "js"? > Not sure if this helps. There is a default escaping for HTML. If there is no registered handler for 'html' context, it calls htmlspecialchars($str, ENT_QUO

Re: [PHP-DEV] [RFC] New operator for context-dependent escaping

2016-07-16 Thread Dan Ackroyd
Hi Michael, On 16 July 2016 at 16:33, Michael Vostrikov wrote: > Hello. > I have created RFC about context-dependent escaping operator. > https://wiki.php.net/rfc/escaping_operator > > Initial discussion was here: http://marc.info/?t=14661919911 I'm more than slightly sceptical about this RF

Re: [PHP-DEV] [RFC] New operator for context-dependent escaping

2016-07-16 Thread Marcio Almada
2016-07-16 11:33 GMT-04:00 Michael Vostrikov : > > Hello. > I have created RFC about context-dependent escaping operator. > https://wiki.php.net/rfc/escaping_operator > > Initial discussion was here: http://marc.info/?t=14661919911 Hi, A few possible RFC improvements: 1. Is there any specif

Re: [PHP-DEV] [RFC] New operator for context-dependent escaping

2016-07-16 Thread Michael Vostrikov
> It would be better to return the previous handler, or NULL if one > wasn't set, in the same way as set_error_handler() does, and for the same reasons. Well, maybe you are right. But I thought, this is not a use case, usually we don't need multiple handlers for certain context. I.e. we don't need

Re: [PHP-DEV] [RFC] New operator for context-dependent escaping

2016-07-16 Thread Michael Vostrikov
> > 1. Is there any specific reason why we're using a class instead of > functions to register a callable the same way it's done for exception > handling or error handling? Hacking non FQN resolutions to inject another > escaper ... > I would not call it 'hacking') This is exaclty the same as if w