PHP has been a staple of server-side web development for years. Now, a developer from Netflix is building a variation on the language that offers “the good parts” while purporting to be easier to use and more secure.
OWL features a web framework that includes a router as well as a template system for embedding HTML and other content within scripts. To prevent cross-site scripting (XSS), the template function system automatically escapes OWL expressions. Owl was built with secure string-handling in mind to protect against a major source of web vulnerabilities, Lesko added.
“It’s really difficult, even for experienced developers, to cover every possibility, so I think it’s important for a web language to protect as much as it can by default.” For example, OWL automatically sends CSP (Content Security Policy) headers to prevent malicious client scripts and requires LockStrings, a new kind of templatized string, for sensitive operations like database queries and system calls.
Other features in OWL include the Litemark markup language for writing content and a base stylesheet with a Flexbox grid system and SVG icons. OWL has been tested to compile to the PHP versions 5.6-plus and 7.0. Future plans for OWL include adding secure form-handling and validation and session support. Other plans involve the addition of Windows support and asset caching. Right now, OWL works with MacOS and Linux.
The OWL Web Language, by the way, is unrelated to the WC3’s Web Ontology Language, which goes by the same acronym. Lesko said he did not think there would be any confusion between the two but would find a way to disambiguate if the naming becomes an issue.