Re: Output escaping PSR

I don't think there should be a PSR to dictate how and if output is escaped. It also shouldn't dictate specific tests. If you are not sure about the security of a template engine output escape function there are better ways like a security audit and sending a PR with fixes or tests. An

Re: Output escaping PSR

Hey Woody, I'm pretty sure there is a lot of things that need to be discussed if we go the template way. The render method could be: public function render(array|object $parameters) : string; In that case, it would be up to the implementators to adapt to the passed parameter. This is mostly

Re: Output escaping PSR

What if my templates use objects? On Thu, Oct 6, 2016, 04:34 David Négrier wrote: > Hey, > > I would simply like to give a huge +1 to Larry's answer because he did > nail the problem perfectly. > > Escaping is done in the template, therefore is used by template engine >

Re: Output escaping PSR

Hey, I would simply like to give a huge +1 to Larry's answer because he did nail the problem perfectly. Escaping is done in the template, therefore is used by template engine authors. There are not a hundred different ways to do escaping and an escaping PSR would really dictate an

Re: Output escaping PSR

Hi, On 06/10/2016 09:53, Alessandro Lai wrote: > Maybe the aim of this PSR should be a test suite (or at least a data > provider of common and edge cases for tests) instead of an interface: if > your escaper pass all the tests, it's PSR-x compliant. > > This could be a really good standard,

Re: Output escaping PSR

On 10/5/16 12:17, Larry Garfield wrote: On 10/05/2016 05:05 PM, Korvin Szanto wrote: On Tue, Oct 4, 2016 at 4:18 PM Sara Golemon > wrote: On Tuesday, October 4, 2016 at 9:40:03 AM UTC-7, Korvin Szanto wrote: Are you thinking like a text

Re: Output escaping PSR

On 10/05/2016 05:05 PM, Korvin Szanto wrote: On Tue, Oct 4, 2016 at 4:18 PM Sara Golemon > wrote: On Tuesday, October 4, 2016 at 9:40:03 AM UTC-7, Korvin Szanto wrote: Are you thinking like a text filter PSR or more of an output

Re: Output escaping PSR

Hi, My thinking was an output escaping spec. It is a lot more nuanced than you may initially think as there is context to consider eg you need to escape differently inside a html attribute as you do for straight onto the page, similarly for a js context or css context. An interface containing

Re: Output escaping PSR

I think it's a good idea. following.. -- You received this message because you are subscribed to the Google Groups "PHP Framework Interoperability Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to php-fig+unsubscr...@googlegroups.com. To post to

Re: Output escaping PSR

Hi Chris, Are you thinking like a text filter PSR or more of an output management PSR? It sounds like a single interface with a single method to me: `FilterInterface::filter($mixed): mixed;`. Thanks, Korvin On Tue, Oct 4, 2016 at 7:39 AM Chris Riley wrote: > Hi, > > I