Hi Thomas,
On Sat, Jun 18, 2016 at 5:23 AM, Thomas Bley wrote:
> you can simply add the context to the current output operator:
>
>
> (=strip_tags)
>
>
We need in addition. If we adopt this, we must document
clearly that LDAP, SQL, etc are not supported.
I like this
> e.g. it won't protect you from XSS if you ever place user-controlled data
in HTML attributes.
As I've found, such an XSS can have a place in the code like this:
$xss = "');your_code_here();//";
I think this is more architectural problem, not an escaping problem. This
is very special case
I'm +1 for this on require. I'd love to see exceptions for all file I/O
stuff (no more @fopen()!) but in all likelihood, we'd need a new API for
that to keep BC.
On Fri, Jun 17, 2016 at 1:32 PM, Niklas Keller wrote:
> >
> > If something is required, one cannot do without it,
Sure you can implement that in userland, but people don't do it or make it too
complicated,
so you get every day code with unescaped stuff.
Regards
Thomas
Ryan Pallas wrote on 18.06.2016 00:27:
>
>
> On Fri, Jun 17, 2016 at 2:23 PM, Thomas Bley
Walter, yes I read, did you read? Niklas wrote:
> The escaping should also be aware of the content encoding.
I wrote: no we have a php.ini setting
The context problem is already answered in the mail from Stas.
Regards
Thomas
Walter Parker wrote on 18.06.2016 00:20:
> Thomas, are you
Thomas, are you actually reading and understanding what the others are
saying?
You seem to be answering questions that have not been asked or giving the
simple, easy and wrong answer.
Walter
On Fri, Jun 17, 2016 at 1:37 PM, Thomas Bley wrote:
> using the default encoding
you can simply add the context to the current output operator:
(=strip_tags)
Regards
Thomas
Stanislav Malyshev wrote on 17.06.2016 22:14:
> Hi!
>
>> Most of output code is an output of properties of database entities, and
>> only in some cases it's needed to concatenate HTML into string
using the default encoding from php.ini's default_charset should be no problem,
htmlspecialchars() already does it if the encoding parameter is not provided.
Regards
Thomas
Niklas Keller wrote on 17.06.2016 22:31:
> Hi,
>
> the issue is that things have to be escaped dependent on the context.
>
> If something is required, one cannot do without it, so there's only one
> course of action, namely to bail out.
What about gracefully bailing out, like showing that composer dependencies
have to be installed?
It's just like a method call. Usually you expect a return value, unless
there's an
Hi,
the issue is that things have to be escaped dependent on the context. If
you are in a HTML context you need different escaping than you need in a
CSS or JS block. The escaping should also be aware of the content encoding.
All that makes it difficult for PHP to directly support such an
Hi!
> Most of output code is an output of properties of database entities, and
> only in some cases it's needed to concatenate HTML into string and then
> print it with unescaped output. Escaped output operator can be useful. Also
> we output data not into the void and not into simple text file,
Hello. I was thinking about a presence of escaped output operator in PHP
and found this feature request: https://bugs.php.net/bug.php?id=62574. I
think this is quite necessary feature. There are a lot of projects which is
written without templating engine, and there are frameworks without
built-in
I would love to see a native ssim/dssim implementation in PHP…
On Fri, Jun 17, 2016 at 6:54 AM, Pierre Joye wrote:
> Hi
> On Jun 17, 2016 8:18 PM, "Christoph Becker" wrote:
> >
> > Hi!
> >
> > I like to suggest to improve the current test suite of the
On Fri, Jun 17, 2016 at 6:47 PM, Christoph Becker wrote:
>
> try {
> require $fileName;
> } catch (Error $e) {
> echo "Oops, maybe deleted? " . $e;
> }
> functionDefinedInFileName();
If anyone chooses to write this kind of code, then let them
On 17/06/2016 17:47, Christoph Becker wrote:
If something is required, one cannot do without it, so there's only one
course of action, namely to bail out. In my opinion, this is the least
surprising way to handle missing required files, especially as it always
has been that way (consider the
On 16.06.2016 at 20:55, Fleshgrinder wrote:
> Education is a hard problem that the whole world is struggling with. We
> will never achieve it. We will especially not achieve convincing people
> of legacy software to change. Heck, we cannot even convince anyone here
> to change legacy stuff.
On 17.06.2016 at 17:44, Niklas Keller wrote:
> 2016-06-17 11:46 GMT+02:00 Christoph Becker :
>
>> On 17.06.2016 at 10:29, Alexander Lisachenko wrote:
>>
>>> Nikita, Dmitry, ping. What do you think, shouldn't we replace all
>> possible
>>> places with Fatal Errors with correct
2016-06-17 11:46 GMT+02:00 Christoph Becker :
> On 17.06.2016 at 10:29, Alexander Lisachenko wrote:
>
> > Nikita, Dmitry, ping. What do you think, shouldn't we replace all
> possible
> > places with Fatal Errors with correct throwing of Error exceptions? In
> > this concrete
Yup, a bad copy/paste.
On 17/06/16 16:06, Julien Pauli wrote:
You seem to be linking the wrong PHP commit.
I'll have a look at it.
Julien
On Fri, Jun 17, 2016 at 2:58 PM, Ivan Enderlin
wrote:
Hello internal,
I have just opened a new bug,
You seem to be linking the wrong PHP commit.
I'll have a look at it.
Julien
On Fri, Jun 17, 2016 at 2:58 PM, Ivan Enderlin
wrote:
> Hello internal,
>
> I have just opened a new bug, https://bugs.php.net/72439 (source of the
> story
Hi
On Jun 17, 2016 8:18 PM, "Christoph Becker" wrote:
>
> Hi!
>
> I like to suggest to improve the current test suite of the gd extension.
> The main issue I see with the current suite is that many (~ 28) tests
> use md5() to verify that a drawn image is correct. However, as
Hi!
I like to suggest to improve the current test suite of the gd extension.
The main issue I see with the current suite is that many (~ 28) tests
use md5() to verify that a drawn image is correct. However, as Pierre
mentioned long ago[1], md5() does not work (reliably) for this purpose.
An
Hello internal,
I have just opened a new bug, https://bugs.php.net/72439 (source of the
story https://github.com/hoaproject/Websocket/issues/66). It seems to be
a regression between 5.5 and 5.6. I quickly suspect
https://github.com/php/php-src/commit/4a2e40bb861bc3cf5fb6863e57486ed60316e97c
Results for project PHP master, build date 2016-06-17 06:29:32+03:00
commit: e2904ff
previous commit:fba6f90
revision date: 2016-06-16 20:12:50+01:00
environment:Haswell-EP
cpu:Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz 2x18 cores,
stepping 2, LLC 45 MB
On 17/06/2016 11:37, Björn Larsson wrote:
Den 2016-06-17 kl. 12:15, skrev Rowan Collins:
Do we really trust our future selves so little that we are incapable
of planning more than 6 months ahead?
Well, my interpretation was that postphoning it meant 8.0, which
is not 6 months away. Having it
On 17/06/16 11:15, Rowan Collins wrote:
> Do we really trust our future selves so little that we are incapable of
> planning more than 6 months ahead?
A practical example of the problems of upgrading is perhaps the time it
takes for public services to get updated. Many of my council customers
On Fri, Jun 17, 2016 at 4:57 PM, Matteo Beccati wrote:
> On 16/06/2016 08:18, Pierre Joye wrote:
>> Hi Dmitry
>>
>> I am sorry but I have to ask to wait before merging it.
>>
>> It is definitely not clear that:
>>
>> . The rfc was valid to begin with due to the short discussion
Den 2016-06-17 kl. 12:15, skrev Rowan Collins:
On 17/06/2016 10:49, Björn Larsson wrote:
Well one reason I could think of is that things that get postphoned,
is not the same thing as meaning it will get done in the future.
Again, I am not proposing we indefinitely postpone anything. I am
On 17/06/2016 10:49, Björn Larsson wrote:
Well one reason I could think of is that things that get postphoned,
is not the same thing as meaning it will get done in the future.
Again, I am not proposing we indefinitely postpone anything. I am
proposing we specifically plan when it is going to
On 16/06/2016 08:18, Pierre Joye wrote:
> Hi Dmitry
>
> I am sorry but I have to ask to wait before merging it.
>
> It is definitely not clear that:
>
> . The rfc was valid to begin with due to the short discussion time
> . This BC is acceptable for 7.x
As Dmitry pointed out the change has
Den 2016-06-17 kl. 11:19, skrev Rowan Collins:
On 17/06/2016 10:08, Björn Larsson wrote:
And pardon me, but saying that we can wait until an PHP 8.0 release
that we have no clue about when it will happen sounds in my eyes
a bit to far off. Going that direction means instead that boiler plate
On 17.06.2016 at 10:29, Alexander Lisachenko wrote:
> Nikita, Dmitry, ping. What do you think, shouldn't we replace all possible
> places with Fatal Errors with correct throwing of Error exceptions? In
> this concrete case it's for "require" operator.
>
> From what I can see Error will give us
Den 2016-06-16 kl. 18:30, skrev Rowan Collins:
On 16/06/2016 17:24, Levi Morrison wrote:
I also have to say that to the very short timeline to finalize 7.0
should not be paid by breaking BCs in 7.x. We can have a short
timeline for 8.0 as well. If we need more drastic BC breaks earlier
than
On 17/06/2016 10:08, Björn Larsson wrote:
And pardon me, but saying that we can wait until an PHP 8.0 release
that we have no clue about when it will happen sounds in my eyes
a bit to far off. Going that direction means instead that boiler plate
code is needed to catch that exact number of
Den 2016-06-13 kl. 15:07, skrev Rowan Collins:
On 06/06/2016 08:22, Dmitry Stogov wrote:
Hi,
This mini RFC has been moved to "Voting" state. Voting
began on Jun 6 and will close on June 16.
You can find the full RFC at: https://wiki.php.net/rfc/too_few_args
Hi,
The more I think about
Nikita, Dmitry, ping. What do you think, shouldn't we replace all possible
places with Fatal Errors with correct throwing of Error exceptions? In
this concrete case it's for "require" operator.
>From what I can see Error will give us more control over the file loading
process and make it more
On Jun 17, 2016 1:10 PM, "Dmitry Stogov" wrote:
>
> Got it :(
> Then this may be a serious BC break, and it's better to depricate it in
7.1 and throw exception only in 8.
Fully agree. Thanks :)
> Thanks. Dmitry.
>
>
>
> On Thu, Jun 16, 2016 at 8:14 PM +0300, "Stanislav
Got it :(
Then this may be a serious BC break, and it's better to depricate it in 7.1 and
throw exception only in 8.
Thanks. Dmitry.
On Thu, Jun 16, 2016 at 8:14 PM +0300, "Stanislav Malyshev"
> wrote:
Hi!
> Please review:
38 matches
Mail list logo