Edit report at https://bugs.php.net/bug.php?id=62745&edit=1
ID: 62745
Comment by: phpmpan at mpan dot pl
Reported by: kjelkenes at gmail dot com
Summary: Extend echo and print possiblity
Status: Wont fix
Type: Feature/Change Request
Package: Output Control
Operating System: *
PHP Version: 5.4.5
Block user comment: N
Private report: N
New Comment:
When making general statements, first make sure that by writing "all people do"
you don't mean "I do". Also please take a look at the calendar. Mine says 2012,
not the end of XX century. Maybe 10 years ago it was acceptable, but it's no
longer a good habit to mix business logic and presentation layer, virtually any
bigger application is written in OOP (which doesn't mix well with exiting PHP
mode) and the presentation layer is handled by template engines or frameworks.
As I said before: you're trying to solve a problem that doesn't really exist.
If it can be observed anywhere, it's just a symptom of a different problem that
lies between keyboard and chair, not in PHP.
Also it's not a good idea to call PHP devs ignorants and raging because your
idea is not accepted. If you believe that it's really needed, try to convince
people it is so! Insulting will not get you anywhere.
Previous Comments:
------------------------------------------------------------------------
[2012-08-06 13:07:30] kjelkenes at gmail dot com
Ignorance, gotta love it. There is really a difference of output buffering
functions and this, I do of course know of the output buffering functions, this
is NOT RELATED. Read on to really see what I mean about this.
This is how people in most cases write their VIEW logic. Meaning ending and
starting <?php echo ..?> every time they echo stuff.. That also means you
should ESCAPE ALL data that comes to echo, else you are just not SAFE.
index.php:
<?php
// Web page title.
$title = 'My website';
// A item from the database.
$item = array('title' => '<script>alert("Hi!")</script>');
?>
<?php ob_start() ?>
<html>
<head>
<title><?php echo $title?></title>
</head>
<body>
<div><p><?php echo $item['title']?></p></div>
</body>
</html>
<?php
$content = htmlspecialchars(ob_get_flush(),ENT_QUOTES,'UTF-8');
echo $content;
/* Returns:
<html>
<head>
<title>My website</title>
</head>
<body>
<div><p><script>alert("Hi!")</script></p></div>
</body>
</html>
FAIL?! We NEED a echo handler....
*/
?>
Obviously this won't work if people wrote their template like this (but that's
up to them...):
index.php
echo "
<html>
<head>
<title>{$title}</title>
</head>
<body>
<div><p>{$item['title']}</p></div>
</body>
</html>
";
This is wanted behaviour (The use of htmlspecialchars wouldn't be necessary if
we had a handler that intercepted the echo statement.):
<?php
// Web page title.
$title = 'My website';
// A item from the database.
$item = array('title' => '<script>alert("Hi!")</script>');
?>
<html>
<head>
<title><?php echo
htmlspecialchars($title,ENT_QUOTES,'UTF-8')?></title>
</head>
<body>
<div><p><?php echo
htmlspecialchars($item['title'],ENT_QUOTES,'UTF-8')?></p></div>
</body>
</html>
<?php
/* Returns:
<html>
<head>
<title>My website</title>
</head>
<body>
<div><p><script>alert("Hi!")</script></p></div>
</body>
</html>
Perfect!
*/
?>
------------------------------------------------------------------------
[2012-08-06 01:01:42] ahar...@php.net
The commenters are right: output buffering already deals with the feature as
requested, and as Laruence points out, the taint extension is available for the
underlying issue if you want to go down that road.
Closing.
------------------------------------------------------------------------
[2012-08-05 06:55:18] larue...@php.net
1. if you want taint mode, refer to : http://pecl.php.net/taint
2. if you want escape output: refer to http://www.php.net/manual/en/function.ob-
start.php
thanks
------------------------------------------------------------------------
[2012-08-05 05:43:07] phpmpan at mpan dot pl
>From my point of view, keithm provides a solution that does exactly the thing
>you have asked for. Output buffering wasn't created for this purpose, but it
>can be easily used for it without breaking anything. If this is not what you
>wanted, maybe your description is not clear enough?
However this is a solution for a problem that doesn't exist in reality.
1. Most of the data output by scripts should never be escaped.
Yet your idea causes ALL data to be escaped, producing garbage.
2. In few specific cases there are small portions of data from untrusted
sources that should be escaped. In such cases a single call is enough.
What you want to be introduced requires 3 lines of code (enable escaping,
echo, disable escaping) just to make same thing a single function call
could do.
3. Even worse: the concept is perpendicular to echo by design,
but not perpendicular to echo by behaviour. Hence it's a design error.
------------------------------------------------------------------------
[2012-08-05 01:23:44] kjelkenes at gmail dot com
For the comment above.
Ok, You don't see the need?
Output buffering is something completely different. Yes you can do the same
with output buffering.. But it still includes the HTML that was not printed by
the parser.
What about this case, do you really think output ob_start() buffering???
ob_start();
<?php echo $user->getName()?>
<b> This is ALSO cached by output buffer function.....</b>
$content = ob_get_flush();
That script... yes .. ob_start() before everything and ob_get_contents() will
return the complete parsed content... but it does NOT intercept the ECHO
statement, meaning if you where about to try parsing:
Meaning Output buffering functions could NEVER intercept the echo statement (
RATHER THE WHOLE THING ) .
What if we wanted to intercept the real echo statement and not the ob_*
functions..
Seriously your comment does not make sense. You are talking about ob_*
functions while this is a whole another case, please don't follow this ticket.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=62745
--
Edit this bug report at https://bugs.php.net/bug.php?id=62745&edit=1
