I think its fine to remove automatic escaping through PHP and just make sure the documentation is clear that Twig is superior and if you want to use PHP you must escape everything?
Not sure there really is any other solution? t On Fri, Nov 19, 2010 at 16:58, Fabien Potencier < [email protected]> wrote: > On 11/19/10 2:07 AM, Johannes wrote: > >> My first thought was to write a PHP-to-PHP compiler as well, but then >> I guess this isn't done so easily. >> > > correct. > > > I don't know any libraries that build an AST, not even PHP internally >> builds an AST; and without an AST I don't see how you could reliably >> do any optimizations on on the PHP code. >> > > That's what we do in Twig actually (we manipulate the AST before > compilation). > > Fabien > > > regards, >> Johannes >> >> >> On Nov 19, 12:46 am, Jordi Boggiano<[email protected]> wrote: >> >>> On Thu, Nov 18, 2010 at 11:08 PM, Fabien Potencier >>> >>> <[email protected]> wrote: >>> >>>> I think that makes sense because we have decided to use Twig as the >>>> default >>>> templating system (and Twig supports a much more robust implementation >>>> of >>>> automatic output escaping -- still not finished yet though.) >>>> >>> >>> This might sound stupid but have you ever considered just implementing a >>> lie? :) >>> >>> I mean, you could use the PHP tokenizer to pre-compile to php the php >>> templates. It sounds a bit wrong, but it actually makes sense in this >>> case I'd say. You could even have a raw() function that, if applies to >>> some expression, would be removed during compilation but would turn >>> off automatic escaping for that expression. >>> >>> It solves the performance issue, it solves the crazy vars sent to >>> another function sent to another template etc that are unable to be >>> resolved properly by the decorators. >>> >>> The question remains though, is it worth the trouble? >>> >>> Cheers >>> >>> -- >>> Jordi Boggiano >>> @seldaek ::http://seld.be/ >>> >> >> > -- > If you want to report a vulnerability issue on symfony, please send it to > security at symfony-project.com > > You received this message because you are subscribed to the Google > Groups "symfony developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected]<symfony-devs%[email protected]> > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en > -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
