On 11/19/10 12:46 AM, Jordi Boggiano wrote:
On Thu, Nov 18, 2010 at 11:08 PM, Fabien Potencier
<[email protected]> wrote:
I think that makes sense because we have decided to use Twig as the default
templating system (and Twig supports a much more robust implementation of
automatic output escaping -- still not finished yet though.)
This might sound stupid but have you ever considered just implementing a lie? :)
I mean, you could use the PHP tokenizer to pre-compile to php the php
templates. It sounds a bit wrong, but it actually makes sense in this
case I'd say. You could even have a raw() function that, if applies to
some expression, would be removed during compilation but would turn
off automatic escaping for that expression.
It solves the performance issue, it solves the crazy vars sent to
another function sent to another template etc that are unable to be
resolved properly by the decorators.
The question remains though, is it worth the trouble?
One of the "beauty" of the PHP templating system is that, well, it's
just PHP templates. Introducing a "compilation" step would kill the
simplicity of that.
But beside that, and because we are working very hard to get output
escaping right with Twig, I know that this won't be possible without
having a deep understanding of the PHP expression you want to escape;
which is not possible without tokenizing the template. Sound like a lot
of efforts.
If you want to understand the difficulty to implement automatic output
escaping, you can read the current Twig rules in the Twig documentation
and have a quick look at the current state by reading the discussion in
this ticket:
https://github.com/fabpot/Twig/issues#issue/163
Fabien
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
