How twig solve these problems ? Does the template compilation is the solution ?
On Thu, Nov 18, 2010 at 11:08 PM, Fabien Potencier < [email protected]> wrote: > Summary > ------- > > The output escaping component for PHP templates does not work very well and > I think it cannot be "fixed". So, I want to remove its support in Symfony2 > entirely. This means that we won't have automatic output escaping if you use > the PHP templating engine in Symfony2. > > I think that makes sense because we have decided to use Twig as the default > templating system (and Twig supports a much more robust implementation of > automatic output escaping -- still not finished yet though.) > > Rationale > --------- > > If we support a feature in Symfony2, it should work as advertised, > especially when we talk about security. But the truth is that automatic > output escaping does not work very well. > > I've been fighting with the output escaper and its integration in the PHP > templating system for months now and I'm still not satisfied with its > current state; and I don't see how we can fix all the issues. > > I won't list all the problems I've encountered, but just three of them to > illustrate the discussion. > > The first problem is that it's quite impossible to garantuee that > everything will be escaped. For instance, static method calls cannot be > escaped (we can argue that this is not a good practice but we cannot force > people not to use them.) > > Then, some weeks ago, I fixed double-escaping problems. I then fixed some > bugs, and now, the current implementation is better as it escapes "more" but > now... but it escapes too much. For instance, if you pass a safe variable by > wrapping it with a SafeDecorator object, all method calls on it should be > considered safe. But if you pass the result of a method call to another > template from a template, it will be escaped, which is not expected: > > // in a controller > $var = new SafeDecorator($object); > > // in the template > $view->render('...', array('var' => $var->getFoo()); > > The 'var' variable in the render() call should not be escaped but it will > be as the escaper removes the SafeDecorator when passing $var to the > template. > > Last but not the least, the fact that we need to wrap all variables has > also a lot of drawbacks. Main ones are: > > * It's slow; > * The wrapped objects do not act as the original objects (many native PHP > functions for instance work for arrays but not for ArrayAccess objects;) > * People expect object from a given type but what they have is different > (it means that sometimes you cannot use type hinting;) > > Cheers, > Fabien > > -- > Fabien Potencier > Sensio CEO - symfony lead developer > sensiolabs.com | symfony-project.org | fabien.potencier.org > Tél: +33 1 40 99 80 80 > > -- > If you want to report a vulnerability issue on symfony, please send it to > security at symfony-project.com > > You received this message because you are subscribed to the Google > Groups "symfony developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected]<symfony-devs%[email protected]> > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en > -- Thomas Rabaix http://rabaix.net -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
