WordPress-Coding-Standards icon indicating copy to clipboard operation
WordPress-Coding-Standards copied to clipboard

Published 20 hours ago verified publisher icon WordPress

Short echo tag ("<?=") tag must be allowed for use in templates

Open kkMatt opened this issue 6 years ago • 19 comments

In the MVC+Templating world, all new code does have template separation from the code. So in templates with template-like syntax, which uses "if(STATEMENT):", "endif;", "foreach(..):", endforeach;" - and that does make the code more compact and easier to read for web-designers, the short echo tag - "<?=" have to be allowed as well. It as endorsed by the Rasmus Lerdorf - the creator of the PHP language - that's why it is always available since PHP 5.4.0. And WordPress is officially announced that it is dropping the support of all older versions prior PHP 5.6.0 since this April.

So in a template file with template-like syntax, i.e. /wp-content/plugins/<PLUGIN_NAME>/UI/Templates/Admin/Item/Shared/ItemsPartial.php this should be allowed:

<?php foreach($items AS $item): ?>
<div class="item-title"><?=esc_html($item['item_title']);?></div>
<div class="item-description"><?=esc_br_html($item['item_description']);?></div>
<?endforeach; ?>

And in this the Core Contributors handbook there has to be changes made to the Shorthand tags section: https://make.wordpress.org/core/handbook/best-practices/coding-standards/php/#no-shorthand-php-tags

Motivation

  1. The creator of PHP language - Rasmus Lerdorf - endorses the shorthand <?= tag. He claimed that in public in one of his talks on the (then soon to be released) PHP 5.4. If not the Rasmus, we would never have the PHP as most popular language in the world, and it became so popular just because of the Rasmus needs to get things start easy, easy to read, and feel happy - all the coding standards has to help us, not to make us hate them.

  2. That is why since PHP 5.4.0 the <?= tag is always available.

  3. It was mostly done because by over-viewing many of projects with pre-PHP 5.4, the <?= tag is used in the View of an MVC application but <?php ... ?> is used in the non-view files.

  4. The primary issue with tag (<?) was because was used by another syntax, XML. With the option enabled, you weren't able to raw output the xml declaration without getting syntax errors for this code: <?xml version="1.0" encoding="UTF-8" ?>.

  5. Although <? causes conflicts with xml, <?= does not.

  6. Prior to PHP 5.4 - the php.ini options to toggle it on and off were tied to short_open_tag, which meant that to get the benefit of the short echo tag (<?=), you had to deal with the issues of the short open tag (<?). The issues associated with the short open tag were much greater than the benefits from the short echo tag.

  7. Starting from PHP 5.4 - the short echo tag has been re-enabled separate from the short_open_tag option. I see this as a direct endorsement of the convenience of <?=, as there's nothing fundamentally wrong with it in and of itself.

  8. Last December WordPress core contributor officially announced that starting this April, WordPress is dropping the support for all older versions prior PHP 5.6.0. For more information please read the post at w.org named "Updating the Minimum PHP Version".

  9. The oldest version of PHP that still gets security fixes is the PHP 5.6. In 2020 the majority of hosting providers and stacks like XAMPP will start offering only offer the PHP7. The PHP.net fully supports only PHP 7.2+ as of today.

Additional notes

  • The BAD is only the <? tag.

  • The GOOD are both - <?php and the <?= tags. Just first one is dedicated to use on code files, and the second one - in template files to output quickly single elements in a compact & easy-to-read, manner.

  • If someone has a question regarding the esc_br_html(...) - the ticket about the missing esc_br_html(...) function is here: https://core.trac.wordpress.org/ticket/46188

  • A good read about the short echo tags is this accepted answer at Stackoverflow with 186 up-votes: https://softwareengineering.stackexchange.com/a/151694/182409

kkMatt avatar Feb 07 '19 13:02 kkMatt

Link to WordPress META ticket for Handbook: https://meta.trac.wordpress.org/ticket/4159

kkMatt avatar Feb 07 '19 14:02 kkMatt

Although some folks may not be a fan, I don't think there's any technical reason why we can't have:

<rule ref="Generic.PHP.DisallowShortOpenTag.EchoFound">
	<severity>0</severity>
</rule>

in whichever ruleset to allow <?= usage.

GaryJones avatar Mar 04 '19 08:03 GaryJones

Ok, so there are technical reasons why this is not allowed and should not be changed until the WP minimum PHP requirement has changed to 5.4 or higher.

Like @KestutisIT already outlined above: PHP short open echo tags were only available in PHP 5.2 and 5.3 with the short_open_tag ini setting turned on and this setting was off by default. As of PHP 5.4, short open echo tags became "always available" independently of the ini setting.

Allowing short open tags, is therefore a security issue as on PHP 5.2/5.3 with short_open_tag turned off the PHP code would be displayed, not the result of the code. This in turn can lead to the inadvertent disclosure of security vulnerabilities.

Even when WP core drops official support for PHP < 5.6, this doesn't mean straight away that the code will no longer run on PHP < 5.6 and it may be a little while before a version is released which actually breaks support for PHP < 5.6.

Similarly, plugins and themes will often support not just the latest WP version, but also a few older versions of WP, so for a while you can expect that at least a portion of those will still support PHP 5.2/5.3 while they still support WP 4.9/5.0 (or older).

With that in mind, I think it's way too early for WPCS to drop the requirement. Maybe in a year or so.

P.S.: that Rasmus supports it is a non-argument, WP has always flown it's own course in the face of what official PHP or the FIG recommends. Let's stick to technical arguments instead.

jrfnl avatar Mar 04 '19 17:03 jrfnl

Allowing short open tags, is therefore a security issue as on PHP 5.2/5.3

That's a fair point, though I believe you meant short open echo tags.

Even when WP core drops official support for PHP < 5.6, this doesn't mean straight away that the code will no longer run on PHP < 5.6 and it may be a little while before a version is released which actually breaks support for PHP < 5.6.

With that in mind, I think it's way too early for WPCS to drop the requirement. Maybe in a year or so.

These two statements seem to be at odds with something like namespaces. WPCS doesn't actively disallow them, so they can be used. Once WP switches bumps to 5.6+, I don't see any reason for WPCS to continue to actively disallow short echo tags.

GaryJones avatar Mar 05 '19 10:03 GaryJones

Once WP switches bumps to 5.6+, I don't see any reason for WPCS to continue to actively disallow short echo tags.

@GaryJones It's a handbook rule/Core ruleset , so WPCS can't drop this without further discussion. https://make.wordpress.org/core/handbook/best-practices/coding-standards/php/#no-shorthand-php-tags

jrfnl avatar Mar 05 '19 15:03 jrfnl

This died around March of last year, but there's been movement:

  • https://core.trac.wordpress.org/changeset/44950
  • https://make.wordpress.org/core/2018/12/08/updating-the-minimum-php-version/
  • https://www.php.net/supported-versions.php

wturnerharris avatar Jan 29 '20 03:01 wturnerharris

It's been a over a year since the issue was brought up, and a lot have changed since then. WordPress now requires PHP 5.6 or higher, and the short echo tag (<?=) has been excluded from the short_open_tag php.ini directive since PHP 5.4. This means that it can't possibly cause fatal errors on PHP 5.4 or above.

@jrfnl provided some valid arguments, but as the time goes they become increasingly less important, and I don't think that compatibility with PHP 5.3 should be a priority, since it has been deprecated for over 5 years now.

Usage statistics of PHP versions also shows that the share of versions 5.3 and earlier is becoming more and more negligible. I'd like to emphasize that there's PHP 8 that is planned to be released by the end of the year. There also are official WordPress installation requirements that everybody should pay attention to when developing the core or the plugins.

Furthermore, there's a movement of updating WP coding standards in accordance to modern PHP versions, and now is the best time to introduce that change to the standard and allow using <?= in WP core and its plugins. https://make.wordpress.org/core/2020/03/20/updating-the-coding-standards-for-modern-php/

sergeymitr avatar Apr 08 '20 18:04 sergeymitr

@sergeymitr Thanks for the reminder. As this is forbidden in the handbook, we cannot blindly change this. I have put the topic on the shortlist for a next post on Make to open it up for discussion.

jrfnl avatar Apr 08 '20 19:04 jrfnl

Thanks @jrfnl

sergeymitr avatar Apr 08 '20 19:04 sergeymitr

Hello!

It's been another year since the last reply. Was there any actual discussion on this topic? At the moment the rule that restricts usage of the <?= tag looks obsolete. Please let us know if there are any plans on removing it or starting a discussion on this topic?

Thank you!

brb85 avatar May 28 '21 09:05 brb85

+1

cleacos avatar Jun 09 '21 17:06 cleacos

+1

luizbills avatar Jul 15 '22 12:07 luizbills

+1 :)

krokodok avatar Sep 27 '22 16:09 krokodok

+1

LauGau avatar Oct 08 '22 10:10 LauGau

Adding +1 comments won't make this issue solved magically. Please don't comment unless you have something substantial to add to the conversation.

dingo-d avatar Oct 08 '22 11:10 dingo-d