rfc:escaping_operator
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
rfc:escaping_operator [2016/07/24 09:24] – michael-vostrikov | rfc:escaping_operator [2016/08/07 14:00] – michael-vostrikov | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== PHP RFC: New operator for context-dependent escaping ====== | + | ====== PHP RFC: New operator |
* Version: 1.0 | * Version: 1.0 | ||
* Date: 2016-07-14 | * Date: 2016-07-14 | ||
* Author: Michael Vostrikov < | * Author: Michael Vostrikov < | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
Line 22: | Line 22: | ||
The problem is that < | The problem is that < | ||
+ | |||
+ | Calling an escaping function manually on every output is the same as calling constructor manually after every ' | ||
+ | <PHP> | ||
+ | (new User)-> | ||
+ | (new Profile)-> | ||
+ | </ | ||
Main argument against such operator is that main problem is in specific context. There are various contexts and each one requires special escaping. But I think this is not required to support all of them. Because - who asks about it?) There are no requests about special operator for json_encode(), | Main argument against such operator is that main problem is in specific context. There are various contexts and each one requires special escaping. But I think this is not required to support all of them. Because - who asks about it?) There are no requests about special operator for json_encode(), | ||
Line 54: | Line 60: | ||
The purpose of this operator is | The purpose of this operator is | ||
- | - To make frequent operations for escaping and default escaping easier to use. | + | - To make frequent operations for escaping, and especially |
- To remove copy-paste for calling an escaping function. | - To remove copy-paste for calling an escaping function. | ||
- To improve a security, because the escaping will become automatic in all places, and this will prevent XSS. | - To improve a security, because the escaping will become automatic in all places, and this will prevent XSS. | ||
Line 92: | Line 98: | ||
Function restore_escape_handler() removes current handler and restores previously set handler. | Function restore_escape_handler() removes current handler and restores previously set handler. | ||
- | Function escape_handler_call() just pass given arguments into user-defined handler. Second argument is not required. If the handler is not set, it throws an exception. There is no default handler for any context, to prevent ' | + | Function escape_handler_call() just pass given arguments into user-defined handler. Second argument is not required. If the handler is not set, it throws an exception. Default context can be set in it as default value for second argument. |
Line 149: | Line 155: | ||
Passes given arguments into user-defined handler. Argumants are passed 'as is', without any changes. | Passes given arguments into user-defined handler. Argumants are passed 'as is', without any changes. | ||
- | Second argument is not required. If the handler is not set, it throws an exception. There is no default handler for any context, to prevent ' | + | Second argument is not required. If the handler is not set, it throws an exception. Default context can be set in it as default value for second argument. |
===== Main arguments ' | ===== Main arguments ' | ||
Line 232: | Line 238: | ||
It is easy to use and has small amount of code. | It is easy to use and has small amount of code. | ||
It does not change Zend VM opcodes and does not break any existing code. | It does not change Zend VM opcodes and does not break any existing code. | ||
+ | It can be used as a replacement for standard '<? | ||
Also it will be useful for beginners, which don't know about HTML escaping or forget about it. If there will be special operator for HTML-safe output, beginners will use it, because this is simple. | Also it will be useful for beginners, which don't know about HTML escaping or forget about it. If there will be special operator for HTML-safe output, beginners will use it, because this is simple. | ||
Line 244: | Line 251: | ||
- | Starting sign: | + | Starting sign.\\ |
+ | Last one is more comfortable to type. | ||
<PHP> | <PHP> | ||
<?* $a, $b ?> | <?* $a, $b ?> | ||
<?: $a, $b ?> | <?: $a, $b ?> | ||
</ | </ | ||
- | Last one is more comfortable to type. | ||
- | Separator sign: | + | Separator sign.\\ |
+ | Maybe it should differ from standard <?= $a, $b ?> syntax to prevent mistakes like <?= $a, ' | ||
+ | ' | ||
<PHP> | <PHP> | ||
<?* $a , $b ?> | <?* $a , $b ?> | ||
Line 259: | Line 268: | ||
<?: $a : $b ?> | <?: $a : $b ?> | ||
</ | </ | ||
- | Maybe it should differ from standard <?= $a, $b ?> syntax to prevent mistakes like <?= $a, ' | ||
- | ' | ||
- | If to wrap in a class or namespace (fully qualified), to not clutter up a global namespace: | + | If to wrap functions |
<PHP> | <PHP> | ||
set_escape_handler() | set_escape_handler() | ||
Line 273: | Line 280: | ||
PHPEscaper:: | PHPEscaper:: | ||
</ | </ | ||
+ | |||
+ | \\ | ||
+ | Built-in contexts.\\ | ||
+ | Default handler with built-in contexts can cause ' | ||
+ | \\ | ||
And also any names in source code or details of implementation, | And also any names in source code or details of implementation, | ||
Line 279: | Line 291: | ||
What is not under discussion: | What is not under discussion: | ||
- | |||
- | Built-in contexts.\\ | ||
- | Because escape_handler_call() is not an escaper itself, but just a helper to call user-defined escaper, it should not handle any contexts. This allows to prevent ' | ||
- | |||
Multiple arguments.\\ | Multiple arguments.\\ | ||
+ | < | ||
I think, it is enough that second argument can be any type, e.g. an array. | I think, it is enough that second argument can be any type, e.g. an array. | ||
Line 290: | Line 299: | ||
If we allow custom handlers, then we need runtime processing, so the example above cannot be compiled into\\ | If we allow custom handlers, then we need runtime processing, so the example above cannot be compiled into\\ | ||
< | < | ||
- | directly, and it will something like\\ | + | directly, and it will be something like\\ |
< | < | ||
- | I.e. we anyway need to pass context as a second argument, so why not allow user to do it. | + | I.e. we anyway need to pass context as a second argument, so why not allow user to do this. |
Line 312: | Line 321: | ||
==== To Existsing Applications/ | ==== To Existsing Applications/ | ||
- | There may be some applications or extensions which contains <?* some text ?> as raw text in PHP template. | + | There may be some applications or extensions which contains <?* some text ?> as raw text in PHP template, or which have the same function names. |
Line 321: | Line 330: | ||
===== Proposed Voting Choices ===== | ===== Proposed Voting Choices ===== | ||
- | Can this operator be useful for many people and implemented in PHP in some of forms described above?\\ | ||
- | The choices are Yes or No\\ | ||
Requires a 2/3 majority\\ | Requires a 2/3 majority\\ | ||
+ | Voting is open till August 6.\\ | ||
+ | Will this short tag / operator be useful for many people with the functionality described above? | ||
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | Additional questions. Voting is not required if you have voted ' | ||
+ | \\ | ||
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
+ | \\ | ||
+ | |||
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
+ | \\ | ||
+ | |||
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
+ | \\ | ||
===== Patches and Tests ===== | ===== Patches and Tests ===== | ||
+ | |||
Diff with changes:\\ | Diff with changes:\\ | ||
https:// | https:// | ||
Line 336: | Line 371: | ||
===== References ===== | ===== References ===== | ||
- | Discussions: | + | Discussions: |
- | http:// | + | http:// |
- | http:// | + | http:// |
Diff with changes: | Diff with changes: |
rfc/escaping_operator.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1