XHP: A New Way to Write PHP (from Facebook) (opens in new tab)

(facebook.com)

134 pointsashu16y ago67 comments

67 comments

XHP rocks so fucking hard, it isn't even funny. It is just so much better than alternatives.

IMHO, It is the only PHP tool I use at facebook that is better than alternatives in other languages. I'm looking at you, django templates!

The notation perfectly represents the objects, with no cruft associated with object oriented programming. That is really rare. You could argue that the markup syntax is cruft, but it really helps code readability to have two types of syntax, for code and for markup.

  $b = <span>quotes and variables</span>;
  $a = <div>omg, I can't "believe" how easy these {$b} are</div>;

nostrademons16y ago

Couple questions:

1. How is this different from Django filters? Is it that the default is HTML escaping instead of having to specify the escaping with each template variable?

2. How does it handle different escaping contexts? For example, text in html attributes needs to be escaped differently from text in the body of the document. Text in URLs or JavaScript has to be escaped differently still, and often times you have to combine these escapings (eg. a JavaScript onClick attribute). Is XHP smart enough to recognize these different contexts and do the right thing, or do you need to fall back to some manual mechanism?

ivankirigin16y ago

Filters are tags in django templates that live in .html files with a bit of logic in a bespoke mini language. XHP for python would be something like this.

  def view_foo( request ):
    baz = "roger, roger"
    return render_foo( baz )
  
  def render_foo( name ):
    return <html><head></head><body>hi, {name}</body></html>

The most glaring difference is that instead of template logic and keywords, you can use python. You definitely want to sequester rendering from the rest of your view, but I see little benefit to django templates. Missing from this code sample is some django middleware which renders a proper HttpResponse() from the XHP return.

I don't know well enough to answer about escaping. Check out the framework, and try it for yourself :)

drusenko16y ago

I'm also very interested in how it is able to escape properly... anybody?

1 more reply

wendroid16y ago

It's turd polish, that doesn't make anything shiny.

If your code looks anything like that, or the examples on the Facebook page, you're doing it wrong.

rimantas16y ago

I fail to see how is this "so much better" than, say, Smarty.

phatbyte16y ago

You clearly don't have any idea how django template engine works lol. How can someone even compare this with django, beats me. But Hey, whatever works for you.

jolie16y ago

I hope you don't mind, but I quoted/linked to this in my post on XHP: http://www.readwriteweb.com/archives/xhp_more_php_enhancemen...

I really liked what you had to say! Please let me know if you want me to remove the quotation or change the links around it. I'm jolie@readwriteweb.com.

jbyers16y ago

For me, XHP is far more interesting than HipHop. And I say that as someone who administers a pile of single-application CPU-bound PHP servers. This completely and forever changes the templates-vs-just-PHP debate, and I'm glad -- it's the kind of evolution PHP needs to continue to be taken seriously.

lanstein16y ago

Strangely enough, I'm reading your PHP code just now :)

jbyers16y ago

Heh, which code is that? If it's anything to do with a certain salesforce-like system at a certain log-searching company, I apologize. :)

1 more reply

jolie16y ago

Hi James! I hope this is ok with you - I quoted & linked to this comment in my post on XHP tonight: http://www.readwriteweb.com/archives/xhp_more_php_enhancemen...

If you want me to remove the quotation or change the links, just let me know. I'm jolie@readwriteweb.com.

jerf16y ago

In a previous job, we used Apache::ASP, which is basically PHP-style <? ?> tags, only with Perl in the insides. We got an awful lot of mileage out of simply re-writing the default <?= ?> equivalent to automatically HTML-escape the contents, and adding a new <?! ?> type thing to pass through the inside unescaped.

It's less "cool" than this, certainly, but making the default reasonably safe and forcing you to ask for the dangerous level of output rather than defaulting to dangerous and having to ask for safe is a lot easier to implement.

brown16y ago

The sentiment here seems to be overwhelmingly positive. Call me a cynic, but this reminds me of "magic_quotes" all over again: a "feature" that tries to help, but masks the fundamental problem.

jbyers16y ago

What is the fundamental problem it masks?

spoondan16y ago

Presumably he means allowing users to thoughtlessly work with unsafe values. One way that XHP could mask this problem is clear by looking at:

    echo <span class="username">{$_POST['name']}</span>;

Now someone comes along and decides the span is unnecessary, turning the code into the (erroneous):

    echo $_POST['name'];

However, I don't think this is a problem with XHP's approach, except in the sense that XHP doesn't go far enough in fixing PHP's faults.

If PHP gave all unsafe values the type "unsafe string" and disallowed all implicit conversion to safe types, then XHP's approach would be a welcome way of doing the right thing by default. Programmer-introduced errors like the above example would result in fatal type errors instead of exploits (presuming "echo" won't take unsafe strings and so requires a conversion function, like htmlspecialchars or the hypothetical unsafe_cast).

1 more reply

commonsense16y ago

The separation of presentation and logic.

Anyone who's spent the 1990s coding Perl CGI will tell you just how big of a step backward this is.

2 more replies

thorax16y ago

  That is, it is impossible to generate malformed webpages while using XHP.

While the purist in me thinks this is great if everyone else uses it, the immense amount of productivity lost when I first started using kid templating (e.g. http://turbogears.org/about/kid.html ) really burned me on this whole concept.

Sometimes I really do want to make a quick test page without crossing all my i's and dotting all the t's. Importing non-perfect markup from a designer is a big pain, too, in this kind of templating system.

And, though it's unfair to say so, some companies do well enough without 100% valid XML markup: http://blog.errorhelp.com/2009/06/27/the-highest-traffic-sit...

drusenko16y ago

Saving 14 bytes per request is something only a very few sites need to think about...

For the rest of us, clarity and semantically correct code are much more useful.

nostrademons16y ago

Wasn't there just a thread complaining about how the end tags make HTML so much more verbose and difficult to read, and that's why people are writing preprocessors like HAML and XHP? I've found that the code is much clearer when you omit your end tags.

As for semantic correctness - it's in the HTML spec, and every major modern browser handles it correctly. Sometimes I wonder if Google's the only folks who actually read the W3C specs, there's been so much cargo-cult advice passed down between web developers.

The "always close your tags" advice came from the early 2000s, when people were pushing XHTML as a way to make your HTML pages XML compliant (the big buzzword back then). It gives essentially no benefit to users, no benefit to developers, costs you bandwidth, makes your pages slower, and clutters up your markup.

3 more replies

jolie16y ago

See also: Rasmus Lerdorf's discussion of XHP: http://toys.lerdorf.com/archives/54-A-quick-look-at-XHP.html

"...when you combine XHP with HipHop PHP you can start to imagine that the performance penalty would be a lot less than 75% and it becomes a viable approach. Of course, this also means that if you are unable to run HipHop you probably want to think a bit and run some tests before adopting this."

stephen16y ago

Scala does basically the same thing with XML:

http://www.scala-lang.org/node/131

...although I doubt it does escaping by default. Should be simple enough to add while you're converting the scala.xml.NodeSeq (iirc) to text.

For an API that required both XML and JSON output, Scala's built-in XML support had us wishing the JSON version of the API was as easy as the XML version.

andre16y ago

I'm going to give it a try, simply because of this: Facebook Lite site was written entirely with XHP.

whalesalad16y ago

BTW for those of you interested in installing on Linux, you'll need php5-dev (so on deb/ubuntu machines a quick apt-get install php5-dev solves it). Run phpize from the root, then the normal ./configure, make, make install etc...

chaosmachine16y ago

I just installed this on a fresh Linode with a basic Ubuntu 9.10 LAMP stack. It built ok, and the module shows up in phpinfo(), but when I try to run any of the example code, I get an error:

  Fatal error: Class 'xhp_a' not found in /home/me/public_html/test.php  on line 3

Here's the code I tested with:

  <?php
  $href = 'http://www.facebook.com';
  echo <a href={$href}>Facebook</a>;

I tried running the code through the xhpize tool, and got the following output:

  <?php
  $href='http://www.facebook.com';
  echo new xhp_a(array('href' => $href,), array('Facebook',), __FILE__, 3);

Which produces the same "class not found" error.

calvin16y ago

I'm having exactly the same problem, same system (Ubuntu Karmic Koala). Prerequisites installed, XHP module installed, it's listed in my phpinfo. For any XHTML tag I include (a, span, ...) the error message says class not included:

  Fatal error: Class 'xhp_span' not found in ...

Any ideas on how to fix would be appreciated. Google and Bing have nothing so far and the module configuration info on the GitHub page is limited: http://wiki.github.com/facebook/xhp/

1 more reply

bshep16y ago

has anyone gotten this to work on OSX?

I get strange errors after I build and add the extension to php.ini

LOG: http://pastie.org/817528

whalesalad16y ago

I have so many damn unnecessary problems with OS X that I've resorted to running a lightweight Debian VM with VMWare. It uses ~250mb out of my 4GB RAM and I can just suspend it whenever I'm not coding.

Benefits: I can use apt-get and have all the other conveniences of a true *nix environment. I can update and try out new software easily (I had XHP running in about 5 minutes). Also, I can create snapshots of my OS so that when my environment is just the way I like it, I can always revert right back to it.

I interact with certain paths on my virtual linux filesystem just as though they were local (like my ~/Sites dir) and have various dev domains in my /etc/hosts file pointing to the VM (which has it's own internal ip).

Cons: It's a standalone VM so it consumes a consistent 250mb of memory. Never really looked at what mysql/apache were doing on my Mac previously (I would assume far less) but I haven't really ran into an issue where the VM is a big issue yet. The convenience far outweighs the chuck of memory it eats up :)

I haven't had a single configuration problem yet ;) For developers the popular phrase is reversed, Debian "just works" and OS X is a pain in my ass.

cmelbye16y ago

Working perfectly for me on OS X snow leopard. It compiled cleanly.

1 more reply

fookyong16y ago

maybe I've misunderstood, but this seems to advocate mixing inline HTML and php logic - isn't that a huge step backwards in terms of web software architecture? I thought we were all using the MVC model by now...

My head just hurts thinking how utterly unmaintainable all that spaghetti code must be.

flogic16y ago

Not really. You can still separate MVC style. Templates have always had some display logic, which is ok. What you don't want is intermixed application logic.

commonsense16y ago

In my opinion this "fuzzy" separation is exactly what frameworks like Django (and many existing PHP MVC frameworks) tries to avoid - they specifically disallow things like arithmetic in their templating language for this reason. As soon as you get more than one person working on a site, you're going to have an overly ambiguous demarcation point between the presentation and the logic layers and it's going to wreak havoc on the development process. It will take an enormous amount of discipline to have a parallel design/code workflow.

Does this offer any benefits to XML comprehension beyond syntactical sugar to allow echo avoid the use of quotes and to remove the god-awful <?php ?> syntax (which puts it at par, at the very best, in my opinion)? Does it handle XML syntax errors gracefully? Can you do native transformations on bound variables, for example, or do any more sophisticated XML DOM-ish tag functions? The post doesn't mention anything about any of these issues, which is where the real advantage would lie. If any of that were possible, you could put the browser DOM (and validation) one step closer to the application logic. As far as I can tell this just attempts to ambiguate the VC in MVC, where Django tries to replace V with T (template).

As far as I'm concerned this only increases the squinty-eyed "WTF" factor between PHP and other languages.

2 more replies

ashuOP16y ago

This doesn't say that at all. The rendering code you write needs to be modular as well, and has quite a bunch of logic built into it (even when all the model and controller logic is separate.) So when you write your renderers as classes or functions, that is when you realize the benefit of XHP.

leftnode16y ago

Ugh, I dislike this a lot. I'm one of the guys who actually likes PHP, so this may be a bit skewed, but what's wrong with PHP's existing alternate syntax? Most people don't know about it, but it's clean and easy to follow:

  <?php if ( true === $some_value ): ?>
    <div>display this div</div>
  <?php else: ?>
    <div>display this div instead</div>
  <?php endif; ?>

This way, you can keep basic logic in your templates (its inevitable and convenient), it's still PHP (there's endforeach, endfor, endwhile, etc.), and this method of templating is very clean.

You can now have a class that sets variables through __set(), loads up a .phtml file, starts output buffering, renders the file with those variables, and then returns it.

You can extend it further to automatically sanitize output variables for XSS and whatnot, cache output, etc. This way, you don't need some overly verbose system like smarty to do what PHP does already. XHP just looks like another smarty: solving a problem that I really don't think exists.

Edit: Ok, I probably shouldn't say I dislike this a lot, I do love seeing Facebook sticking with PHP and ultimately helping it out.

dtjm16y ago

That sort of code can get really messy when you have to put PHP code inside the DIVs.

I think I might like the more concise, readable syntax that XHP offers for interpolating {$variables} (and any PHP code for that matter).

vl16y ago

I'm using PHPTal right now to achieve more or less same effects, but it's not the easiest solution - it becomes a bit cumbersome for long fragments.

XHP looks very promising because it solves one of my problems with PHPTal - generating complex content in the loop (in PHPTal having multiple conditions in loop is possible, but not exactly elegant)

For example:

  <?php
    $list = <ul />;
    foreach ($items as $item) {
      if ($item->bold) {
        $list->appendChild(<li><b>{$item}</b></li>);
      } else if ($item->foobar) {
        $list->appendChild(<li><i>{$item}</i></li>);
      } else {
        $list->appendChild(<li>{$item}</li>);
      }
    }
  ?>

shaunxcode16y ago

Another awesome example of the lengths people will go to compensate for a lack of macros.

I would so much rather see (define table (html-table (map [tr (td _)] rows)))

then

$table = <table>; foreach($rows as $row) { $table->appendChild(<tr><td>{$row}</td></tr>); (assuming this is even possible?) }

JoelMcCracken16y ago

I was just about to make this comment.

I think one of lisp's adoption problems is that it makes things that are just simply amazing become commonplace.

justinph16y ago

Sure, let's take two clusterfucks, php and xml, and smash them together! Great idea!

(Actually, this looks rather handy.. but there is a certain amount of initial WTF.)

drusenko16y ago

very, very cool. i can't wait to dig into this more... it looks like even the basic examples are cool, but there's lots of stuff under the hood waiting to be discovered.

ashuOP16y ago

it is indeed one of the coolest things i have used. the fact that you have all the HTML stored as objects and available for manipulation makes all kinds of crazy post-processing (just before rendering) possible.

there16y ago

seems to me that if they went to the trouble to make it understand xml syntax and error out on invalid code, they should have just made it auto-close tags. on pages where there are heavily nested divs and other things, auto-closing the tags would make the code smaller while still generating valid xhtml and not bothering the developer with such trivial things.

     echo <div><strong><em>blah;

andre16y ago

One last feature of XHP, which has been invaluable to us at Facebook, is that you can define your own elements which can condense a complex component into a simple XHP tag. XHP has a rich collection of declarations which let you define new elements, configure their expected attributes, as well as describe their content model.

Maascamp16y ago

While I understand where you're coming from, I feel like that would result in incredibly confusing markup and only lead to increased headaches down the road. I'm glad they left that out.

1 more reply

callmeed16y ago

This sure would make working with WordPress themes easier.

blasdel16y ago

The useful abstraction might mean that they wouldn't need to be GPLed, especially if combined with a sane view/template separation (like Django's: the template just gets a dict as input and nothing else).

est16y ago

looks like E4X, which security is a problem

http://sla.ckers.org/forum/read.php?2,20408

Any code mix operation & data is dangerous. That's all how overflow exp, injection and XSS works

j / k navigate · click thread line to collapse

67 comments

ivankirigin16y ago

XHP rocks so fucking hard, it isn't even funny. It is just so much better than alternatives.

IMHO, It is the only PHP tool I use at facebook that is better than alternatives in other languages. I'm looking at you, django templates!

  $b = <span>quotes and variables</span>;
  $a = <div>omg, I can't "believe" how easy these {$b} are</div>;

nostrademons16y ago

Couple questions:

1. How is this different from Django filters? Is it that the default is HTML escaping instead of having to specify the escaping with each template variable?

ivankirigin16y ago

Filters are tags in django templates that live in .html files with a bit of logic in a bespoke mini language. XHP for python would be something like this.

  def view_foo( request ):
    baz = "roger, roger"
    return render_foo( baz )
  
  def render_foo( name ):
    return <html><head></head><body>hi, {name}</body></html>

I don't know well enough to answer about escaping. Check out the framework, and try it for yourself :)

drusenko16y ago

I'm also very interested in how it is able to escape properly... anybody?

1 more reply

wendroid16y ago

It's turd polish, that doesn't make anything shiny.

If your code looks anything like that, or the examples on the Facebook page, you're doing it wrong.

rimantas16y ago

I fail to see how is this "so much better" than, say, Smarty.

phatbyte16y ago

You clearly don't have any idea how django template engine works lol. How can someone even compare this with django, beats me. But Hey, whatever works for you.

jolie16y ago

I hope you don't mind, but I quoted/linked to this in my post on XHP: http://www.readwriteweb.com/archives/xhp_more_php_enhancemen...

I really liked what you had to say! Please let me know if you want me to remove the quotation or change the links around it. I'm jolie@readwriteweb.com.

jbyers16y ago

lanstein16y ago

Strangely enough, I'm reading your PHP code just now :)

jbyers16y ago

Heh, which code is that? If it's anything to do with a certain salesforce-like system at a certain log-searching company, I apologize. :)

1 more reply

jolie16y ago

Hi James! I hope this is ok with you - I quoted & linked to this comment in my post on XHP tonight: http://www.readwriteweb.com/archives/xhp_more_php_enhancemen...

If you want me to remove the quotation or change the links, just let me know. I'm jolie@readwriteweb.com.

jerf16y ago

brown16y ago

The sentiment here seems to be overwhelmingly positive. Call me a cynic, but this reminds me of "magic_quotes" all over again: a "feature" that tries to help, but masks the fundamental problem.

jbyers16y ago

What is the fundamental problem it masks?

spoondan16y ago

Presumably he means allowing users to thoughtlessly work with unsafe values. One way that XHP could mask this problem is clear by looking at:

    echo <span class="username">{$_POST['name']}</span>;

Now someone comes along and decides the span is unnecessary, turning the code into the (erroneous):

    echo $_POST['name'];

However, I don't think this is a problem with XHP's approach, except in the sense that XHP doesn't go far enough in fixing PHP's faults.

1 more reply

commonsense16y ago

The separation of presentation and logic.

Anyone who's spent the 1990s coding Perl CGI will tell you just how big of a step backward this is.

2 more replies

thorax16y ago

  That is, it is impossible to generate malformed webpages while using XHP.

And, though it's unfair to say so, some companies do well enough without 100% valid XML markup: http://blog.errorhelp.com/2009/06/27/the-highest-traffic-sit...

drusenko16y ago

Saving 14 bytes per request is something only a very few sites need to think about...

For the rest of us, clarity and semantically correct code are much more useful.

nostrademons16y ago

3 more replies

jolie16y ago

See also: Rasmus Lerdorf's discussion of XHP: http://toys.lerdorf.com/archives/54-A-quick-look-at-XHP.html

stephen16y ago

Scala does basically the same thing with XML:

http://www.scala-lang.org/node/131

...although I doubt it does escaping by default. Should be simple enough to add while you're converting the scala.xml.NodeSeq (iirc) to text.

For an API that required both XML and JSON output, Scala's built-in XML support had us wishing the JSON version of the API was as easy as the XML version.

andre16y ago

I'm going to give it a try, simply because of this: Facebook Lite site was written entirely with XHP.

whalesalad16y ago

chaosmachine16y ago

I just installed this on a fresh Linode with a basic Ubuntu 9.10 LAMP stack. It built ok, and the module shows up in phpinfo(), but when I try to run any of the example code, I get an error:

  Fatal error: Class 'xhp_a' not found in /home/me/public_html/test.php  on line 3

Here's the code I tested with:

  <?php
  $href = 'http://www.facebook.com';
  echo <a href={$href}>Facebook</a>;

I tried running the code through the xhpize tool, and got the following output:

  <?php
  $href='http://www.facebook.com';
  echo new xhp_a(array('href' => $href,), array('Facebook',), __FILE__, 3);

Which produces the same "class not found" error.

calvin16y ago

  Fatal error: Class 'xhp_span' not found in ...

Any ideas on how to fix would be appreciated. Google and Bing have nothing so far and the module configuration info on the GitHub page is limited: http://wiki.github.com/facebook/xhp/

1 more reply

bshep16y ago

has anyone gotten this to work on OSX?

I get strange errors after I build and add the extension to php.ini

LOG: http://pastie.org/817528

whalesalad16y ago

I haven't had a single configuration problem yet ;) For developers the popular phrase is reversed, Debian "just works" and OS X is a pain in my ass.

cmelbye16y ago

Working perfectly for me on OS X snow leopard. It compiled cleanly.

1 more reply

fookyong16y ago

My head just hurts thinking how utterly unmaintainable all that spaghetti code must be.

flogic16y ago

Not really. You can still separate MVC style. Templates have always had some display logic, which is ok. What you don't want is intermixed application logic.

commonsense16y ago

As far as I'm concerned this only increases the squinty-eyed "WTF" factor between PHP and other languages.

2 more replies

ashuOP16y ago

leftnode16y ago

  <?php if ( true === $some_value ): ?>
    <div>display this div</div>
  <?php else: ?>
    <div>display this div instead</div>
  <?php endif; ?>

This way, you can keep basic logic in your templates (its inevitable and convenient), it's still PHP (there's endforeach, endfor, endwhile, etc.), and this method of templating is very clean.

You can now have a class that sets variables through __set(), loads up a .phtml file, starts output buffering, renders the file with those variables, and then returns it.

Edit: Ok, I probably shouldn't say I dislike this a lot, I do love seeing Facebook sticking with PHP and ultimately helping it out.

dtjm16y ago

That sort of code can get really messy when you have to put PHP code inside the DIVs.

I think I might like the more concise, readable syntax that XHP offers for interpolating {$variables} (and any PHP code for that matter).

vl16y ago

I'm using PHPTal right now to achieve more or less same effects, but it's not the easiest solution - it becomes a bit cumbersome for long fragments.

XHP looks very promising because it solves one of my problems with PHPTal - generating complex content in the loop (in PHPTal having multiple conditions in loop is possible, but not exactly elegant)

For example:

  <?php
    $list = <ul />;
    foreach ($items as $item) {
      if ($item->bold) {
        $list->appendChild(<li><b>{$item}</b></li>);
      } else if ($item->foobar) {
        $list->appendChild(<li><i>{$item}</i></li>);
      } else {
        $list->appendChild(<li>{$item}</li>);
      }
    }
  ?>

shaunxcode16y ago

Another awesome example of the lengths people will go to compensate for a lack of macros.

I would so much rather see (define table (html-table (map [tr (td _)] rows)))

then

$table = <table>; foreach($rows as $row) { $table->appendChild(<tr><td>{$row}</td></tr>); (assuming this is even possible?) }

JoelMcCracken16y ago

I was just about to make this comment.

I think one of lisp's adoption problems is that it makes things that are just simply amazing become commonplace.

justinph16y ago

Sure, let's take two clusterfucks, php and xml, and smash them together! Great idea!

(Actually, this looks rather handy.. but there is a certain amount of initial WTF.)

drusenko16y ago

very, very cool. i can't wait to dig into this more... it looks like even the basic examples are cool, but there's lots of stuff under the hood waiting to be discovered.

ashuOP16y ago

there16y ago

     echo <div><strong><em>blah;

andre16y ago

Maascamp16y ago

While I understand where you're coming from, I feel like that would result in incredibly confusing markup and only lead to increased headaches down the road. I'm glad they left that out.

1 more reply

callmeed16y ago

This sure would make working with WordPress themes easier.

blasdel16y ago

est16y ago

looks like E4X, which security is a problem

http://sla.ckers.org/forum/read.php?2,20408

Any code mix operation & data is dangerous. That's all how overflow exp, injection and XSS works

j / k navigate · click thread line to collapse