+1 On Nov 19, 10:19 am, Marijn <[email protected]> wrote: > As long as we are very clear about the fact that: > > * Twig has superior support for output escaping by default and > * Output escaping can be done manually in the PHP version > > I'm fine with it > > On Nov 19, 8:47 am, Henrik Bjornskov <[email protected]> wrote: > > > > > +1 > > > Im turning it off in php templates per default anyways. > > > On 19 Nov., 07:02, Tim Nagel <[email protected]> wrote: > > > > I think its fine to remove automatic escaping through PHP and just make > > > sure > > > the documentation is clear that Twig is superior and if you want to use > > > PHP > > > you must escape everything? > > > > Not sure there really is any other solution? > > > > t > > > > On Fri, Nov 19, 2010 at 16:58, Fabien Potencier < > > > > [email protected]> wrote: > > > > On 11/19/10 2:07 AM, Johannes wrote: > > > > >> My first thought was to write a PHP-to-PHP compiler as well, but then > > > >> I guess this isn't done so easily. > > > > > correct. > > > > > I don't know any libraries that build an AST, not even PHP internally > > > >> builds an AST; and without an AST I don't see how you could reliably > > > >> do any optimizations on on the PHP code. > > > > > That's what we do in Twig actually (we manipulate the AST before > > > > compilation). > > > > > Fabien > > > > > regards, > > > >> Johannes > > > > >> On Nov 19, 12:46 am, Jordi Boggiano<[email protected]> wrote: > > > > >>> On Thu, Nov 18, 2010 at 11:08 PM, Fabien Potencier > > > > >>> <[email protected]> wrote: > > > > >>>> I think that makes sense because we have decided to use Twig as the > > > >>>> default > > > >>>> templating system (and Twig supports a much more robust > > > >>>> implementation > > > >>>> of > > > >>>> automatic output escaping -- still not finished yet though.) > > > > >>> This might sound stupid but have you ever considered just > > > >>> implementing a > > > >>> lie? :) > > > > >>> I mean, you could use the PHP tokenizer to pre-compile to php the php > > > >>> templates. It sounds a bit wrong, but it actually makes sense in this > > > >>> case I'd say. You could even have a raw() function that, if applies to > > > >>> some expression, would be removed during compilation but would turn > > > >>> off automatic escaping for that expression. > > > > >>> It solves the performance issue, it solves the crazy vars sent to > > > >>> another function sent to another template etc that are unable to be > > > >>> resolved properly by the decorators. > > > > >>> The question remains though, is it worth the trouble? > > > > >>> Cheers > > > > >>> -- > > > >>> Jordi Boggiano > > > >>> @seldaek ::http://seld.be/ > > > > > -- > > > > If you want to report a vulnerability issue on symfony, please send it > > > > to > > > > security at symfony-project.com > > > > > You received this message because you are subscribed to the Google > > > > Groups "symfony developers" group. > > > > To post to this group, send email to [email protected] > > > > To unsubscribe from this group, send email to > > > > [email protected]<symfony-devs%2bunsubscr...@google > > > > groups.com> > > > > For more options, visit this group at > > > >http://groups.google.com/group/symfony-devs?hl=en
-- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
