Paul M. Jones

Pixar's "The Incredibles" (from Brad Bird, who did "The Iron Giant" before this) is simply magnificent. It's a family film in the best sense of the word; everyone will enjoy it immensely for different reasons. The movie is fun for kids (but not too young, 6 or 7 years old it probably the lower limit) and satisfying for adults (and comic book fans of any caliber will love the asides and references).

The film homages a wide range of other storylines, including James Bond, Star Wars, almost every mainstream superhero comic ever written, and Atlas Shrugged (although in a strange way; others have noted that the most Rand-esque character is in fact the villain, but the general themes of individual achievement are in line with Rand).

One bit-part character that I thought particularly funny was their Joker type, a French clown named "Bomb Voyage."

Rating: worth full evening price, more than once. (This is the highest rating. I have seen it 3 or 4 times in the theater now and it just gets better; there's too much going on to take it all in at one viewing.)

This page is to track issues related to the new "secure" compiler for Savant. A number of people (notably and most recently RevJim) have opined that Savant needs a decent secure compiler so that untrusted users can be allowed to edit templates. I agree.

Note: The compiler is not a required element. The normal use of Savant remains; that is, PHP itself is the template markup. The only time you really need to compile a template is when you have anonymous or otherwise possibly mailicious users, and this compiler exists to support that relatively rare case.

So the idea now is to replace the existing "basic" compiler with a more-secure version; you can view the source code here. Note that it depends on Josh Eichorn's excellent PHPCodeAnalyzer script, which itself depends on the tokenizer function in PHP 4.3.0 and later.

I don't know if I like calling the new compiler "secure" or not, but it sure is restrictive. Here are the built-in restrictions and features:

• The markup language is PHP in most cases, just surrounded in non-PHP tags
• Prefix and suffix tags default to "{" and "}", but are user-definable.
• No <?php ... ?> or <? ... ?> tags allowed
• Simple variable echoing via {$var}
• Comments via {* ... *}
• Control structures are regular PHP ( {if (...):}, {else}, {foreach (...):}, etc)
• No support for switch/case, but break and continue are allowed
• Plugins supported via {['pluginName', 'arg1', $arg2, ... ]}
• Certain language constructs are disallowed: eval, global, include[_once], require[_once], parent, self
• The only way to include other templates is via the {tpl} tag
• If the Savant $_restrict flag is on, template requests are restricted to specific allowed paths
• Access to superglobals ($GLOBALS, $_GET, etc) is disallowed
• Access to private $this properties is disallowed
• Variable-variables and variable-functions are disallowed
• Only whitelisted functions are allowed (the whitelist is user-definable)
• Only whitelisted static method calls are allowed (the whitelist is user-definable)
• Use of $this by itself is disallowed; it must be followed by -> (e.g., "$this" generates an error, but "$this_thing" and "$this->property" are allowed)

I think that's it. If the compile generates errors, the compiled script is not saved and the compiler returns a list of restriction violations with line numbers (the number correspond to both the source template and the compiled template becuase the markup language is very close to native PHP).

Comments? Questions? Have I forgotten to take something into account? It's only been a week, so I am sure to have missed some form of sneakiness.

These are my two dogs, Zoe on the left, Wendy on the right. This is a rare picture of them together in calmness.

Zoe is "big dog" between them, but Wendy wants very much to be "big dog." I believe that Wendy is plotting to take over the world, but her immediate goal is to take over the house, starting with Zoe. When they're both awake, not 30 minutes goes by where Wendy does not attempt to bite Zoe on the scruff, or take away some toy that Zoe is guarding. (Zoe tolerates this for about thirty seconds, then lays into her to re-assert her big-dogness.)

The biting thing is not restricted to challenging Zoe; Wendy is a toothy little girl. She loves my shirts, especially dress shirts, because she can pull at the buttons. If I leave a shirt in reach, and she is a very long dog so she can reach far, I will find the shirt later with dried slobber and tooth marks around each individual button -- and sometimes tooth marks where a button **used** to be.

To boot, she's a little butter-thief. If I leave the butter out and uncovered, I will come back to it to find the butter-knife displaced and the butter itself with a big curvy section licked out of it.

She's good when she's not naughty, but she is **so** naughty. It's good that she's cute, otherwise there'd be a problem. ;-)

My article on Savant has been published in the 01.2005 edition of International PHP Magazine. I subtitled it "How I learned to stop using Smarty and love PHP for template markup" (so what if I love old movies?).

In the Development track, Paul Jones elaborates on how he learned to stop using Smarty and love PHP for template markup. He holds forth on Savant, a lightweight, object-oriented, fast and powerful solution that leverages the power of PHP markup with the convenience of plugins and path management -- all without compiling.

Dana Priest is (was?) a reporter for the Washington Post; I understand that she was the military and intelligence reporter for that paper. In "The Mission" she details several recent military missions from Kosovo to Kandahar, gives biographies on military personnel from top General officers to infantry grunts, and describes the daily lives of soldiers and special forces operators while in training and while in the field.

Among other things, she points out that the State Department has (de facto) abdicated to the military much of State's responsibility for creating and communicating foreign policy. Military personnel are used as ambassadors and diplomats, and are given broad authority to accomplish ill-defined non-military goals.

I have heard her speak via C-SPAN and other programs; her stand appears to be that we need a civilian "nation-building" (or "re-building") department to help nations get back on their feet after our military goes in (for whatever reason, from peacekeeping in Bosnia to ouster in Iraq). She believes that the military is not suited for what are essentially civilian tasks: policing, hospital building, water supply, electricity production, economic invigoration, and so on. We must remember that the military is a tool for destruction, and ever more for selective and precise destruction, not for construction. For example, see her chapters on the soldier who murdered an 11-year-old Albanian girl; it is a true story, and while representative of a vanishingly small minority of military personnel, it serves well as analogy as to why military training and culture (which is good and necessary for military purposes) do not translate well into civilian activities under military sponsorship.

I find that I agree with Ms Priest. In a way, her work ties in nicely with Thomas Barnett's NewRuleSets ideas: the military needs to be able to kill people and destroy materiel, but then we need a civilian counterpart corps to rebuild what earlier tyrants have destroyed or prevented from being built in the first place.

Note: The idea of having this rebuilding corps is **not** a way of saying "the US needs to fix what it breaks after invasion" (even though we do). For example, don't tell me that the USA decimated Iraq as a whole, because it's not true; Saddam did more to damage the people of that country in 30 years than we are capable of conceiving. This hypothetical civilian rebuilding corps would help get the people on their feet (after we militarily remove the tyrants who drove the people down) by building or improving existing institutions and organzations and services.

Savant uses PHP for its template markup, but also supports extneral compilers. Unfortunately, the example compiler in the distro is not that secure.

But! Joshua Eichorn has put together a spiffy PHP code analysis tool called PHPCodeAnalyzer. It takes PHP code, runs the PHP tokenizer on it, and reports back what functions, methods, etc. are present in the code. This could serve as a basis for a secure compiler for Savant, which in turn might be the tipping point for RevJim.

(Reverend, if you're reading, I'd be very happy to hear your comments on this).

Early in the development of Savant (back when it was HTML_Template_Dummy) I broke the assign() method without knowing it, then distributed the source to early adopter testers. Of course, they discovered the break right away. Embarrassed, I wrote up a quick series of "visual" test scripts to run on each release. They are not automated; basically, they instantiate Savant and print out the results of various method calls, which I then eyeball to look for problems. While not optimal, and certianly not "best practice," it's good enough most of the time.

However, such "eyeball" tests seem to have an unexpected benefit. I just got a comment from Alex at Sourcelibre saying:

In version 2.3.2, the directory ... Savant2/tests are really usefull. I almost always prefer examples to explanations, and these examples are just perfect.

Well look at that. I wrote up code examples and I didn't even know it. While it's not documentation per se, it appears to add a lot of value to the package.

So now there's at least one more reason to write non-automated tests for your libraries: if the tests are designed to be human readable, not machine readable, then they can serve the purpose of testing **and** tutorial.

Via Instapundit, from L. T. Smash:

But let's put your personal considerations aside for the moment. After all, a martyr cares nothing for his own life. That is how you see yourself, isn't it?

When you were planning your dramatic "statement," did you think for a minute about how this would affect your shipmates? You are a fire control technician on the Sea Sparrow surface-to-air missile system. The Navy doesn't have a bunch of spare FCs sitting in cold storage. Your ship is going to the Arabian Gulf, and will have to pass through the "threat arcs" of Iran's Silkworm anti-ship missiles -- and in case you haven't noticed, we're not exactly buddy-buddy with the mullahs these days. The Sea Sparrow is a critical point-defense system for your ship. So your job isn't one that the Navy can afford to shrug off -- somebody else is going to have to do it.

One of two things is going to happen. Either your shipmates are going to have to pull extra shifts to cover for your absence, or -- more likely -- somebody from another ship is going to get emergency orders to take your place in the coming days. Maybe that person is married; maybe he even has kids.

And you pulled this little stunt just in time for Christmas.

When I was in Desert Shield / Desert Storm in 1990, we saw all sorts of this kind of behavior. Kids who signed up into the reserves were called to duty per their contract, and responded with "You mean I have to fight? I thought you were just giving me free money for college!"

They did whatever they could to avoid deploying to Saudi. The level of conscientious objectorship went up significantly in about two weeks, as did the pregnanacy rate among females both at home and in-theater (if you got pregnant, especially on a ship at sea, you got sent home) over the next six months.

Cowards and freeloaders the lot of them. No sense of duty, no sense of honor, no sense of commitment. They were happy to take the goods, but actively avoided returning their service. >:-

Savant sees a new release today, version 2.3.2. It's a bugfix release; the change notes are:

* can now use assign() to assign a null value by name (thanks, Michael Caplan)

* the dateformat plugin now correctly refers to named custom formats (thanks, maxim at inform-link dot co dot uk)

* added tests for named custom dateformat strings

In related news, it seems that Monte Ohrt (or someone using his name) of Smarty fame wanted to take issue with some of my comments about caching over at the house of Reverend Jim. Give Jim some traffic and see for yourself which point of view you agree with; when you're done, be sure to check out his photography work.

Finally, the Savant site has seen quadruple its normal traffic in the past 24 hours. Normally it gets about 1000 hits/day, but right now it's at 4000. Could it be that my new article for PHP Magazine on Savant has been released?

Savant is a template system for PHP that uses PHP itself as the template markup language. Savant has plugins, output filters, customized error handling, and allows you to hook in a compiler object to deal with customized non-PHP template markup. I call it the simple, elegant, and powerful alternative to Smarty.

Update: Looks like SitePoint Tech Times has a link to Savant, which explains the traffic increase. Thanks to Sean from #pear on IRC for the information, and thanks to the SitePoint folks for mentioning the project.

Update 2: At midnight: 6763 hits in 24 hours. Sweet. :-)

The Core Knowledge Foundation outlines preschool and K-8 curricula. My God, this is fantastic. Take a look at the 6/7/8th grade outline. At first I thought it was 10/11/12th grade. I mean, Shakespeare and Mythology in the 6th grade? I didn't get that until 10th. Just awesome!