TalesInternal method of writing functions can lead to undefined default constants

phptal / PHPTAL

PHP Template Attribute Language — template engine for XSS-proof well-formed XHTML and HTML5 pages

http://phptal.org

GNU Lesser General Public License v2.1

178 stars 42 forks source link

TalesInternal method of writing functions can lead to undefined default constants #13

Closed ajcrites closed 11 years ago

ajcrites commented 11 years ago

PHPTAL/Php/TalesInternal was updated to return function calls as strings at some point, but this can lead to unintended expressions when the default/nothing keywords are used.

For example, any of the following:

<tal:block content="true:"/>
<tal:block content="true:nothing"/>
<tal:block content="true:default"/>
<tal:block content="json:"/>

....and many others will yield notices such as: Undefined constant _NOTHING_NOTHING_NOTHING_NOTHING_

This is because the evaluation of true:, not:, json:, etc. now returns a string like:

phptal_true(_NOTHING_NOTHING_NOTHING_NOTHING_)

This is what convertExpressionToExpressions, TalesChainExecutor::_executeChain, and other methods receive. Many of these methods have exact checks against PHPTAL_Php_TalesInternal::NOTHING_KEYWORD (and DEFAULT), but these will fail against the above expressions.

ajcrites commented 11 years ago

I would like to fix this issue myself, but I haven't contributed to this project before. My suggestions would be to do either one of the following:

Create a TalesInternal method for writing functions that checks against the constants returns null for NOTHING_KEYWORD and possibly throws an exception for DEFAULT_KEYWORD.
- Ideally expressions like true:default would use the actual default value to perform the expression, but I'm not sure if it's available at that time, or if this is even desired.
Delegate the code writing of the function call to the CodeWriter or something (passing the argument(s) and function to be called).

Also it may be preferable to use methods rather than functions for phptal_, but this is most likely a separate issue.

Another possible method would be to check against a match of _NOTHING_NOTHING... within the string before the expression is returned, but I think that is much uglier.

kornelski commented 11 years ago

Thanks for spotting this. I think you've got a good idea what the problem is — I'll be happy to merge a fix if you write one.

How about replacing nothing keyword with an instance of a class that stringifies to null?

class PHPTAL_NothingKeyword {
    function __toString() {return 'null';}
}

This way It'd work when it's treated as a string, but you could check for its special status with instanceof.