On 11/18/10 11:43 PM, Thomas Rabaix wrote:
How twig solve these problems ? Does the template compilation is the solution ?
With Twig, we have a proper AST of the templates. Automatic output escaping is done by visiting the AST and applying output escaping when appropriate (which is not trivial but doable).
By doing that at compilation time, there is no overhead between automatic output escaping and manual escaping in Twig.
Fabien
On Thu, Nov 18, 2010 at 11:08 PM, Fabien Potencier <[email protected] <mailto:[email protected]>> wrote: Summary ------- The output escaping component for PHP templates does not work very well and I think it cannot be "fixed". So, I want to remove its support in Symfony2 entirely. This means that we won't have automatic output escaping if you use the PHP templating engine in Symfony2. I think that makes sense because we have decided to use Twig as the default templating system (and Twig supports a much more robust implementation of automatic output escaping -- still not finished yet though.) Rationale --------- If we support a feature in Symfony2, it should work as advertised, especially when we talk about security. But the truth is that automatic output escaping does not work very well. I've been fighting with the output escaper and its integration in the PHP templating system for months now and I'm still not satisfied with its current state; and I don't see how we can fix all the issues. I won't list all the problems I've encountered, but just three of them to illustrate the discussion. The first problem is that it's quite impossible to garantuee that everything will be escaped. For instance, static method calls cannot be escaped (we can argue that this is not a good practice but we cannot force people not to use them.) Then, some weeks ago, I fixed double-escaping problems. I then fixed some bugs, and now, the current implementation is better as it escapes "more" but now... but it escapes too much. For instance, if you pass a safe variable by wrapping it with a SafeDecorator object, all method calls on it should be considered safe. But if you pass the result of a method call to another template from a template, it will be escaped, which is not expected: // in a controller $var = new SafeDecorator($object); // in the template $view->render('...', array('var' => $var->getFoo()); The 'var' variable in the render() call should not be escaped but it will be as the escaper removes the SafeDecorator when passing $var to the template. Last but not the least, the fact that we need to wrap all variables has also a lot of drawbacks. Main ones are: * It's slow; * The wrapped objects do not act as the original objects (many native PHP functions for instance work for arrays but not for ArrayAccess objects;) * People expect object from a given type but what they have is different (it means that sometimes you cannot use type hinting;) Cheers, Fabien -- Fabien Potencier Sensio CEO - symfony lead developer sensiolabs.com <http://sensiolabs.com> | symfony-project.org <http://symfony-project.org> | fabien.potencier.org <http://fabien.potencier.org> Tél: +33 1 40 99 80 80 -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com <http://symfony-project.com> You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] <mailto:[email protected]> To unsubscribe from this group, send email to [email protected] <mailto:symfony-devs%[email protected]> For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -- Thomas Rabaix http://rabaix.net -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
-- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
