Well you can make your own bake templates, and include html escaping there. The assumption is that you will 'harden' your app after baking. I could see it being an enhancement. But like I said you can make your own hardened bake files.
-Mark On Feb 18, 9:37 am, Jonathan <[email protected]> wrote: > Hi, > > If you use the console to bake views like index.ctp and view.ctp, data > is echo'ed directly like: > <?php echo $user['Model']['field']; ?> > > - I think that all output should by default be HTML-escaped to avoid > security flaws, so the baked code should rather be something like: > <?php echo h($user['Model']['field']); ?> > > What are your opinions - should this be considered a bug? > > Regards > > Jonathan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
