Summary
-------
The output escaping component for PHP templates does not work very well
and I think it cannot be "fixed". So, I want to remove its support in
Symfony2 entirely. This means that we won't have automatic output
escaping if you use the PHP templating engine in Symfony2.
I think that makes sense because we have decided to use Twig as the
default templating system (and Twig supports a much more robust
implementation of automatic output escaping -- still not finished yet
though.)
Rationale
---------
If we support a feature in Symfony2, it should work as advertised,
especially when we talk about security. But the truth is that automatic
output escaping does not work very well.
I've been fighting with the output escaper and its integration in the
PHP templating system for months now and I'm still not satisfied with
its current state; and I don't see how we can fix all the issues.
I won't list all the problems I've encountered, but just three of them
to illustrate the discussion.
The first problem is that it's quite impossible to garantuee that
everything will be escaped. For instance, static method calls cannot be
escaped (we can argue that this is not a good practice but we cannot
force people not to use them.)
Then, some weeks ago, I fixed double-escaping problems. I then fixed
some bugs, and now, the current implementation is better as it escapes
"more" but now... but it escapes too much. For instance, if you pass a
safe variable by wrapping it with a SafeDecorator object, all method
calls on it should be considered safe. But if you pass the result of a
method call to another template from a template, it will be escaped,
which is not expected:
// in a controller
$var = new SafeDecorator($object);
// in the template
$view->render('...', array('var' => $var->getFoo());
The 'var' variable in the render() call should not be escaped but it
will be as the escaper removes the SafeDecorator when passing $var to
the template.
Last but not the least, the fact that we need to wrap all variables has
also a lot of drawbacks. Main ones are:
* It's slow;
* The wrapped objects do not act as the original objects (many native
PHP functions for instance work for arrays but not for ArrayAccess objects;)
* People expect object from a given type but what they have is different
(it means that sometimes you cannot use type hinting;)
Cheers,
Fabien
--
Fabien Potencier
Sensio CEO - symfony lead developer
sensiolabs.com | symfony-project.org | fabien.potencier.org
Tél: +33 1 40 99 80 80
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to symfony-devs@googlegroups.com
To unsubscribe from this group, send email to
symfony-devs+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
