On Sun, Mar 20, 2016 at 3:11 PM, Daniel Beardsley <dan...@ifixit.com> wrote:
> I'd like to submit an RFC (with a pull request) for adding auto-escaping to
> the php language.
>
> T_ECHO (echo, <?=) and T_PRINT (print) now both emit a
> ZEND_AST_ECHO_ESCAPE node in the syntax tree.
>
Interesting approach, I assume an explicit `echo $foo;` takes the
normal ZEND_ECHO route then?
> zend_write_escape is a new function pointer that points to
> php_escape_write.
>
Pluggable, good.
> The auto-escaping system can be configured with an:
> __auto_escape_exempt_class="HtmlString"
>
I wonder if allowing the classes to declare themselves as exempty (or
self-escapable) might be a better approach.
e.g.
class Foo implements HtmlEscapable {
public function htmlEscape() {
return htmlentites($this->whatever);
}
}
> Which allows instances of `HtmlString` to pass straight through a
> template without being modified (skipping the html_entities call).
>
IME once you provide an escape hatch, said hatch WILL be used. It's
not a question of IF.
For my part, I'd toss the idea of XHP (
https://docs.hhvm.com/hack/XHP/introduction ) back into consideration
over something like this.
This approach has the smell of magic quotes which we got rid of for
very good reason. XHP is much more explicit in separating markup from
data and relies far less (not at all when you do it right) on escape
hatches.
-Sara
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
