[erlang-questions] Thoughts on EHE - the PHP killer

Matti Oinas matti.oinas@REDACTED
Sat Feb 18 13:31:13 CET 2012 

Hi Joe,

This is really great. Now it is simpler to take old page layout from PHP 
sites and rewrite the application using Erlang.

There is one big problem with EHE, PHP, Django, ErlyDTL, etc and it is 
that the template isn't plain HTML. Any of these needs some kind of 
special syntax to inserted into HTML to control the generation of final 
output.

Enlive (https://github.com/cgrand/enlive) solves this problem in a 
really nice way. Enlive templates are nothing but plain HTML. This is a 
big advantage because many times the HTML templates are written by 
graphical designers. When using PHP I have to modify the templates to 
insert PHP code to right places to make it work. It is the same with 
django, erlydtl and ehe. When template is updated then I have to do this 
again. With enlive I could just replace the old template with the new 
one and no other changes are needed.

Template library like enlive can also solve most XSS vulnerabilities 
without any help from developer because the library knows the context 
where the dynamic data is going and can use proper quoting for that context.

In PHP and EHE it is easy to create XSS vulnerabilities.

<div id="<?e Id ?>">...</div>

If Id string contains " character then there is XSS vulnerability. 
Developers must remember to escape data before using it. Enlive like 
template library can execute proper escape functions because it is aware 
of the context where that data is going to be inserted. ErlyDTL makes 
automatic escapes, but the defaults aren't always enough because HTML is 
a pretty complex beast that requires different characters escaped 
depending on the context. Developer doesn't need to escape the data 
because library makes it automatically so no more XSS vulnerabilities 
because developer forgot to escape some data before it was inserted into 
template.

Biggest problem with enlive is that it is written with clojure. Not that 
clojure isn't great but it still isn't erlang.

I think it is time to rewrite some PHP code with erlang and EHE.

Matti

On 02/18/2012 01:13 PM, Joe Armstrong wrote:
> Thoughts on EHE
>
> I'm playing with a little language for writing web applications.
> It's called EHE. All it is HTML with embedded Erlang
>
> I like EHE very much since it is the simplest possible way of embedding
> Erlang in a web page - I can think of no simpler method - the learning
> gap (if you know Erlang and HTML) is pretty near zero. For me
> simple = good.
>
> What is EHE?
>
> An EHE script is just a file with the extension .ehe. The file
> contains HTML or XHTML with embedded Erlang.
>
> The embedding syntax is
>
>      <?e ....... ?>
>
> This syntax is chosen since this notation corresponds to an XML processing
> instruction.
>
> Inside the block is sequence of Erlang expressions.
>
> The replacement value of the block is the last value of the sequence is
> just the last value in the sequence, which must be an IO list.
>
> Binding are propagated forwards between blocks.
>
> Here's an example
>
>      <h1>Hello</h1>
>
>       <?e Name ="joe", "" ?>
>
>      <p>  Hello<?e Name ?>
>
> The first block binds the variable Name and injects "" into the text
> The second block injects "joe" into the text.
>
> Communicating with the environment:
>
>    Inside EHE the global variable SYS provides a bridge to the outside world.
>
>    We can imagine a library of useful functions that change the state of the
>    environment - like:
>
>       <?e SYS:get_db(Key) ?>
>       <?e SYS:put_db(Key, Value) ?>
>
>       <?e SYS:set_header(Header, Value) ?>
>       ...
>
>       and so on
>
>    SYS is a parametrised module that is configured *outside* EHE - so
> we can change
> the database later *without* changing the EHE code.
>
>     There is an implementation of EHE at
>
>        https://github.com/joearms/adapter_pattern
>
>        (actually there is no SYS module in the git hub code, just an
> object called Req)
>
>     Question: Do we need more than this in an embedded language.
>
>     On part of me says NO WAY - you have the full power of erlang at
> your disposal.
>
>     Another part says
>
>        <? if_true_skip_block(X), ""?>
>          ...
>        <? ... ?>
>
>       Might mean if X is true then omit the block of HTML immediately following
> the erlang code block.
>
>       The problem with this is that it leads to a half-baked badly thought out
> mess of language and a slippery slope where we want to add just one
> more feature.
>
>       For this reason I would suggest that EHE only has the semantics I
> have suggested
> and nothing else.
>
>       Note - while EHE is interpreted it can easily be compiled if efficiency
> is a problem.
>
>       Now the next question - what are the SYS functions:
>
>       SYS:lookup(Key) ->  {ok, Value} | error
>
> SYS is a parametric module that bridges you into Erlang - but what
> functions should it
> support?
>
> /Joe
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions

More information about the erlang-questions mailing list