On 11/19/10 1:02 PM, Matthias Nothhaft wrote:
When removing the component, will there still be helpers for escaping variables? Or do I have to use plain old php functions? I think it would be better to have some helpers for escaping.
We will have to provide helpers for escaping of course. Fabien
regards, Matthias On 18 Nov., 23:08, Fabien Potencier<fabien.potenc...@symfony- project.com> wrote:Summary ------- The output escaping component for PHP templates does not work very well and I think it cannot be "fixed". So, I want to remove its support in Symfony2 entirely. This means that we won't have automatic output escaping if you use the PHP templating engine in Symfony2. I think that makes sense because we have decided to use Twig as the default templating system (and Twig supports a much more robust implementation of automatic output escaping -- still not finished yet though.) Rationale --------- If we support a feature in Symfony2, it should work as advertised, especially when we talk about security. But the truth is that automatic output escaping does not work very well. I've been fighting with the output escaper and its integration in the PHP templating system for months now and I'm still not satisfied with its current state; and I don't see how we can fix all the issues. I won't list all the problems I've encountered, but just three of them to illustrate the discussion. The first problem is that it's quite impossible to garantuee that everything will be escaped. For instance, static method calls cannot be escaped (we can argue that this is not a good practice but we cannot force people not to use them.) Then, some weeks ago, I fixed double-escaping problems. I then fixed some bugs, and now, the current implementation is better as it escapes "more" but now... but it escapes too much. For instance, if you pass a safe variable by wrapping it with a SafeDecorator object, all method calls on it should be considered safe. But if you pass the result of a method call to another template from a template, it will be escaped, which is not expected: // in a controller $var = new SafeDecorator($object); // in the template $view->render('...', array('var' => $var->getFoo()); The 'var' variable in the render() call should not be escaped but it will be as the escaper removes the SafeDecorator when passing $var to the template. Last but not the least, the fact that we need to wrap all variables has also a lot of drawbacks. Main ones are: * It's slow; * The wrapped objects do not act as the original objects (many native PHP functions for instance work for arrays but not for ArrayAccess objects;) * People expect object from a given type but what they have is different (it means that sometimes you cannot use type hinting;) Cheers, Fabien -- Fabien Potencier Sensio CEO - symfony lead developer sensiolabs.com | symfony-project.org | fabien.potencier.org Tél: +33 1 40 99 80 80
-- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to symfony-devs@googlegroups.com To unsubscribe from this group, send email to symfony-devs+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
