PHP RFC Preview: Dynamic Callback Expressions

I’m posting this to get some initial feedback on this idea before I officially submit an RFC.

Background

Even with PHP’s growing object-oriented and functional programming features, the callback remains widely-used and useful. However, forcing authors to create callbacks via strings and arrays presents difficulties:

  1. Most IDEs do not recognize callbacks as such, and so cannot offer autocompletion, rename refactoring, and other benefits of code comprehension.
  2. Authors can misspell identifiers inside strings.
  3. Within namespaced code, authors can forget to prepend the namespace, since function calls within the namespace do not require it.
  4. Where use statements change the identifier for a class, authors can specify the local classname instead of the fully resolved name.

Proposal Continue reading  

String Subtypes for Safer Web Programming

Valid HTML markup involves several different contexts and escaping rules, yet many APIs give no precise indication of which context their string return values are escaped for, or how strings should be escaped before being passed in (let’s not even get into character encoding). Most programming languages only have a single String type, so there’s a strong urge to document function with @param string and/or @return string and move on to other work, but this is rarely sufficient information.

Look at the documentation for WordPress’s get_the_title:

Returns

(string) 
Post title. …

If the title is Stan "The Man" & Capt. <Awesome>, will & and < be escaped? Will the quotes be escaped? “string” leaves these important questions unanswered. This isn’t meant to slight WordPress’s documentation team (they at least frequently give you example code from which you can guess the escaping model); the problem is endemic to web software.

So for better web security—and developer sanity—I think we need a shared vocabulary of string subtypes which can supply this missing metadata at least via mention or annotation in the documentation (if not via actual types).

Proposed Subtypes and Content Models

A basic set of four might help quite a bit. Each should have its own URL to explain its content model in detail, and how it should be handled:

Unescaped
Arbitrary characters not escaped for HTML in any way, possibly including nulls/control characters. If a string’s subtype is not explicit, for safety it should be assumed to contain this content.
Markup
Well-formed HTML markup matching the serialization of a DocumentFragment
TaglessMarkup
Markup containing no literal less-than sign (U+003C) characters (e.g. for output inside title/textarea elements)
AttrValue
TaglessMarkup containing no literal apostrophe (U+0027) or quotation mark (U+0022) characters, for output as a single/double-quoted attribute value

What would these really give us?

These subtypes cannot make promises about what they contain, but are rather for making explicit what they should contain. It’s still up to developers to correctly handle input, character encoding, filtering, and string operations to fulfill those contracts.

The work left to do is to define how these subtypes should be handled and in what contexts they can be output as-is, and what escaping needs to be applied in other contexts.

Obvious Limitations

For the sake of simplicity, these subtypes shouldn’t attempt to address notions of input filtering or whether a string should be considered “clean”, “tainted”, “unsafe”, etc. A type/annotation convention like this should be used to assist—not replace—experienced developers practicing secure coding methods.

We need a frontend design tool for live web pages

It’s quite frequently that an HTML/CSS designer might want to make changes to a live web page. Maybe she doesn’t have write access, or maybe the fixes needed aren’t worth the start-up cost of copying the page locally and working on it there, or multiple designers want to work up ideas on a given page simultaneously. The “Inspect Element” capabilities of most modern browsers will let you make HTML/CSS changes to a live page, but navigating or refreshing causes those changes to be lost, and they’re hard to keep track of.

Here’s a feature wishlist:

  1. keep track of “Inspect Element” user changes with the ability to save them locally
  2. keep changes in discrete “changesets” that can be re-applied, or saved as a unified patch of the original files, or at least as the modified original files
  3. allow swapping page CSS files with user-controlled CSS files (e.g. file:/// or htttp://localhost/)
  4. allow swapped CSS files to be periodically “refreshed” so the user wouldn’t have to switch between CSS editor and browser.

Firefox’s Stylish extension looks to come close to (3), allowing you to add user styles to a page/site, like Greasemonkey does for Javascript. It doesn’t look like the editing experience is great, though.

You can manually do (3) and use the CSS Reload Every bookmarklet, but it reloads all CSS, which is kinda of jarring.

A bookmarklet could implement (3) and (4) and persist its settings in a cookie.

Other ideas?

Update: Here’s a bookmarklet that let’s you swap CSS files and stores its settings in a cookie for the current page. Next step is for it to allow adding files and controlling the cookie path.

You must enable Javascript! (right-click, add to favorites or bookmarks)

(CSSswap source).

“Buy American”

When economies are struggling, protectionism seems well-intentioned: By “buying American” we can go back that golden fantasy age when everything was American-made and everyone had a decent-paying job and could afford the latest luxuries. I have some examples that I hope can convince you that freer trade benefits everyone. It’s not completely intuitive; we commonly think that one person is always screwed in a deal; if it’s good for [insert foreign country], it must be bad for America. Continue reading  

Imagining Better E-mail

[Sitting in my drafts folder since August… Why not]

For building a clean and complete “paper trail” within a single message (which is irrefutably valuable in situations), top posting works great. For responding to individual sections, inline reply is great. Combining the two is generally a mess. In both top/inline models the manual management of quoted text in a text editor is pretty terrible. I posit that there’s no satisfactory solution to this multi-decade debate without a better UI than text editors provide. I’d like to see a reply process more like this:

  1. Highlight a selection for quoting. A reply form appears directly below with the cursor ready. (Commenting on a bill in OpenCongress is a bit like this.)
  2. Type the reply
  3. Repeat as necessary

Make the end points of each “quote” easily adjustable, and allow a preview to show you what the recipients would see, to allow you to reorder sections, to adjust header/footer sigs, etc.

A new message format based on git/hg could hold each previously referenced message in the thread, and with it the ability to walk back through the conversation, as well as embed cleanly the contact info of the senders, cryptographic signatures, etc.

The reader could chose to view the latest message in a variety of ways, including the traditional styles of plain text or HTML.

And you can’t fix e-mail without addressing sender authentication.

HealthCare Thought Exercises

I can’t remember where, but I’m fairly certain I saw compelling evidence that nations with universal access to healthcare, contraceptives, and abortions have the lowest rates of abortions. Let’s assume this is true.

Also assume that the U.S. military, as well as foreign militaries aided by the U.S., engage in a perhaps small but non-zero number of actions which cause more human suffering, in lives and in residual physical and emotional scars, than the actions prevent.

Now assume that, ten years from now, ObamaCare will have reduced abortions by millions/year and have produced a net fiscal drain on the federal government, forcing it to reduce some of the aforementioned military actions.

Would it be a “moral” law?

I think the biggest leap here is assuming the federal govt. would cut military spending. More likely we’d see cuts targeting the weakest interests (the poor), and/or tax increases most significantly affecting the middle class.

Assume now that ObamaCare ends up raising significantly the net per capita cost of healthcare (cost of drugs, premiums, copays, taxes, etc.), and this effectively reduces the standard of living, particularly at the lower classes.

Also assume that ObamaCare results in the stifling of drug & medical product innovation, resulting in millions of avoidable deaths and suffering in the future.

Would it be a “moral” law?

What if FDR had successfully lobbied to get a national healthcare system established; and that U.S. medical innovation had progressed at a reduced rate since 1940 or so?

What if Republicans enacted a “free market” healthcare system which turned out to significantly reduce costs, but in doing so also reduced quality and the margin of profit available to go towards innovation? I.e. is a “cheap” healthcare system (which we certainly had before WWI) “better” than a costly one if the margins go towards preventing future suffering?

Is it fair to assume that in our costly system those margins do go towards “societally beneficial” innovation rather than, say, executive pockets and the development of expensive new drugs which are only slightly more effective than existing ones?

Reverse Glasses and Map Flopping

Update June 2013: These exist!

Years ago I had an idea for “reverse” glasses. All they would do is invert horizontally–or flop–the image your retinas receive as if you were viewing through a mirror. I suspect after a brief period of adjustment you’d be able to function fairly normally wearing them, but your common surroundings would appear oddly different, like the first day waking up in a house with a reversed floor plan.

Asymmetrical skateboarding spots limit your trick options because, as a skater–even if you’re great at skating switchstance–you’re either regular or goofy foot. If there’s only one obvious direction to hit something from, you kind of lose half the available tricks to try on it. Flopped glasses couldn’t switch your natural skating stance, but they would let you see every spot as having a flopped equivalent, which is where the game developers come in.

Every 2 or 3-dimensional game should have a “flop map” option, which would flop the player’s map (but not the controls). This would be fairly trivial for the developer, but would give players double the (perceived) number of unique maps to play on. Obviously this is only interesting on asymmetrical maps like a city or a famous golf course–flopping most sport courts/fields wouldn’t have any real effect.

Another feature of the glasses: They would “correct” what you see in mirrors to be exactly what the world sees–parted hair/crooked teeth/wristwatch on the opposite side. Weird and awesome.

Stewart’s Crazy Solution to Global Warming

During Jon Stewart’s interview with Al Gore, Stewart half-jokingly proposes one solution to the problem of oil interests slowing the move towards cleaner energies:

Stewart: Partner up with Exxon and say, “You own the oil and gas now; you can own the new thing.”

I have to admit, granting the oil companies monopolies on the replacement technologies would be a pragmatic solution to the problem. It would be messy, full of complicated conditions, and would horrify those that feel the oil companies should pay for the damage oil is doing, but the alternative we’re facing is a very slow mush toward the new paradigm while the planet suffers.

Moments later Stewart acknowledges that clean technologies will also eventually be controlled by a few large corporations, and of course he’s right. We’re just going to slowly trade one set of executives and lobbyists for another and with the unlikely hope that the new ones will hold the planet’s best interests above the bottom line.

Call it “SecondOpinion”

The creators of StackOverflow should team up with the Dept. of Health & Human Services and launch a medical Q&A site based on the SO model.

StackOverflow was designed by a few programmers to scratch an itch within the community, and the model they came up with made it the most effective question/answer site I’ve ever used. Got a really, really tough programming question? You can probably get a half dozen answers in 5 or 10 minutes, and if you wait a day, you can see them ranked by quality by several programmers within your field.

As medical professionals contributed answers, comments, and votes in their spare time, a medical version of SO would quickly turn into an amazing resource for public health.

It might require some tweaking. SO users are generally in the same community, though sometimes different specialties. This makes it easier to design behavior-reinforcing tricks to keep user contributing. Every time I get a question answered I almost always end up taking a few minutes to provided input to other questions, and I earn points and “badges” for contributing (what other users deem as) good info.

On a medical Q&A site the advice takers and givers are mostly exclusive communities, but I think professionals would still contribute, and we could create ways to encourage them. Medical schools could require students to earn points on the site; we could reward consistently good contributors financially or with real awards.