Also, standards can change sometimes and same tags may change. It's better to change a thing in one place than chasing the mysterious bug.
On Mon, May 13, 2013 at 9:22 PM, Tyler Romeo <[email protected]> wrote: > Chris makes a good point. Also, it should be noted that the Html class does > a lot more than just escape stuff. It does a whole bunch of attribute > validation and standardization to make output HTML5-sanitary. While in > simple cases like the one above it will not make a difference, it is > probably better to maintain a uniform approach when generating HTML output. > > *-- * > *Tyler Romeo* > Stevens Institute of Technology, Class of 2015 > Major in Computer Science > www.whizkidztech.com | [email protected] > > > On Mon, May 13, 2013 at 2:05 PM, Chris Steipp <[email protected]> > wrote: > > > On Mon, May 13, 2013 at 10:26 AM, Max Semenik <[email protected]> > > wrote: > > > Hi, I've seen recently a lot of code like this: > > > > > > $html = Html::openElement( 'div', array( 'class' => 'foo' ) > > > . Html::rawElement( 'p', array(), > > > Html::element( 'span', array( 'id' => $somePotentiallyUnsafeId > ), > > > $somePotentiallyUnsafeText > > > ) > > > ) > > > . Html::closeElement( 'div' ); > > > > > > IMO, cruft like this makes things harder to read and adds additional > > > performance overhead. It can be simplified to > > > > > > $html = '<div class="foo'><p>' > > > . Html::rawElement( 'p', array(), > > > Html::element( 'span', array( 'id' => $somePotentiallyUnsafeId > ), > > > $somePotentiallyUnsafeText > > > ) > > > ) > > > . '</p></div>'; > > > > > > What's your opinion, guys and gals? > > > > I'm probably a bad offender here, but you've unintentionally proved my > > point ;). Note that in your example, you used a single instead of a > > double quote after foo. Obviously, if you're using an IDE, syntax > > highlighting would have helped you, but my point being that when you > > use the classes, you're less likely to make those little mistakes that > > could potentially have disastrous consequences (like using single > > quotes around an entity and relying on htmlspecialchars for escaping, > > etc). And for security, I prefer for people to use whatever will cause > > the least amount of mistakes. > > > > Personally also, when I'm code reviewing I don't like to see <> in the > > php, but that's my person preference. > > > > _______________________________________________ > > Wikitech-l mailing list > > [email protected] > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > -- З павагай, Павел Селіцкас/Pavel Selitskas Wizardist @ Wikimedia projects _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
