How THT Compares to PHP
This page is a mostly-complete list of differences between THT and PHP.
For more background behind these changes, see the Design Notes.
Note on PHP 8PHP 8 introduced some nice additions to the syntax, e.g. named arguments.
It is still TBD on how these will be integrated into THT.
It is still TBD on how these will be integrated into THT.
Syntax
- HTML output is not the default mode. No
<?php
tags. - No semicolons. One statement per line. Note
- No outer parens in control statements.
if true {...}
Note - Shorter function keyword
fn
. - No parens for empty function arguments.
fn foo {...}
- Introduces template functions for output.
tm myHtml { ... }
- Template expressions use
{{ ... }}
instead of<?= ... ?>
- Dot operator
.
for method calls.$foo.method()
Note - Separate Map and List types, instead of one Array type.
- JS literal notation for Maps.
{ key: value }
Note - Quote fences
'''
for multi-line strings. - Strings are single-quote only.
'my string'
. Note - Regex strings are 1st class objects.
r'\d+'
No double-escaping slashes. - No variable references
&$foo
. - Natural 1-based indexing for Lists and Strings. Note
- Can use negative indexes to count from end of List.
$list[-1]
- List append syntax changed from
$list[] = $el
to$list #= $el
. - String concatenation operator changed from
.
to~
. - Only
//
for line comments. No#
. - Nested block comments
/* ... */
are supported. - No C-style
for
loop. Useforeach
instead. Note - No C-style
while
loop. Useloop
instead. Note switch
replaced withmatch
. (coming soon)- Bitwise operators are prefixed with
+
. e.g.+|
,+&
Note - Closures capture all outer variables. No need for the
use
keyword.
Safety
- Each THT file has its own namespace. No implicit globals.
- Variables and functions are validated at compile time.
- No “variable variables”. (e.g.
$$myVar
) - Full stack trace on all runtime errors.
- PHP-level errors and warnings are fatal.
- Standard library uses exceptions, not error codes.
- No database, file, or system calls allowed within templates.
- No assignment inside of conditionals. e.g.
if a = 1
- All string methods support UTF-8 via
mbstring
. - No
===
. Instead,==
does a strict comparison. - Can’t use math on non-number values. e.g.
3 + 'cat'
- Numeric strings are not translated to numbers. e.g.
0 != '0'
- No
null
. Note - Declared argument types are always run in strict mode.
- No warning suppression via
@
.
Consistency
- Standard library is organized into modules and classes.
- Standard library is curated, with more consistent interfaces.
- Function names are case sensitive.
- The only falsey values are:
false
,0
,''
,{}
,[]
- Only camelCase format for variable and function names. Note
- Default charset is UTF-8.
- Date methods default to UTC timezone.
- Numeric database results are auto-converted from strings to numbers.
- Unified code formatting via the Format Checker.
Convenience
New Syntax
||=
and&&=
for OR and AND assignment.||:
and&&:
for OR and AND value coalescing.- One-line block syntax. e.g.
if true: $a = 1
- Lambda expressions via
x{...}
- Quoted lists via
q[...]
- Self-assignment via
$str = .upperCase()
- -flags for boolean options
See Shortcuts
HTML Syntax
- Closing tags do not need a label. e.g.
</>
- Selector style tags. e.g.
<h1.myclass>
- Auto-closing line tags. e.g.
<h1> My Heading
See HTML-C Shortcuts
Performance
- Assets & images are automatically optimized, reducing sizes by up to 70%.
- Images and iframes are automatically set to loading=“lazy”.
- HTML document is structured to include
script
tags at the bottom, andstyle
tags at the top. - Perf Panel provided for benchmarking.
- Cache module provided.
Security
Strings
- Introduces TypeStrings to prevent injection attacks.
- Db module requires TypeStrings. Uses PDO placeholders underneath.
- Web, File, and System modules escape output automatically. (XSS)
Files
- File functions do not work on URLs.
- File functions are sandboxed to the
data
directory. - Source files are hosted outside of Document Root.
- Only source files in the
pages
dir are directly executable. Module files can not be executed directly.
Response
- Default HTTP response headers are set to secure defaults.
- CSP response headers added to prevent client script injection.
- HSTS response headers added to all non-localhost apps.
- Redirects to external URLs are restricted.
Auditing
- High-risk methods are prefixed “xDanger-” for easier auditing.
- Internal THT security functions are in a single module for easier auditing.
Cross Origin
- Non-GET requests are protected with a per-request CSRF token.
- Non-GET requests must come from the local domain, by default.
- Cross-origin requests are protected with Fetch metadata.
Config
- Database config (with passwords) is stored in a local-only config file.
- THT & PHP config are read-only, not changeable at runtime.
Sessions
- All cookie data is kept server-side. Uses a single client-side cookie ID.
- Session config has secure defaults.
Input
- Input from different HTTP methods (GET, REQUEST, etc.) are not intermixed.
- Input data is only accessible through validation methods.
- Input data is stripped of NULL bytes to prevent Null Byte Poisoning.
- File uploads are validated and sandboxed with random names.
- Uploaded images are re-processed and resized, stripping possible attack payloads.
Passwords / Crypto
- Randomization functions use cryptographically strong methods.
- Password inputs are automatically hashed with
bcrypt
and wrapped in a Password object. - Password checks use
password_verify
to prevent timing attacks. - Password checks are rate-limited to limit brute force attacks.
Misc
- High risk PHP functions like
eval
are forbidden.