i thought so too, in the beginning. and as far is I know the bake templates will soon be updated with h() or are already in the process of being updated. because just too many either don't know or don't care it is more than necessary to do so :)
there are occasions where you don't want the h() (html content, numeric values, ...). and as long as the content comes from you alone (without user inputs/ forms) usually not too much harm can be done. probably for simplicity they omitted it altogether. well, the main goal still is "rapid development". bake all views and ADJUST them afterwards. the default ones are so generic that they fit every purpose i suppose. but that (!) doesn't mean that the templates are usable for real websites out "of the box". without adjusting its usually not done. if you want to save time and cut down the adjustments to a minimum you create your own templates. the nice side effect: you can include your own little gadgets right away (like me with green/red images for toggle values like "active" or "published" in the view) and the results are as close to your expected outcome as possible. follow my tips about how to create more robust bake templates and make sure you always bake your templates with those custom ones. but this is already pretty off topic here :) On 14 Dez., 22:19, Ryan Schmidt <[email protected]> wrote: > > On 14 Dez., 16:01, euromark <[email protected]> wrote: > >> you can GUESS - if you actually need to ask you will most certainly > >> always get "IE6"^^ > >> and in this case as well > > >> and yes, unfortunately it is still widely used (mainly cooperations > >> and unskilled home users) > > IE6! No, that's still on my still-care-about list. I'll have to test for this > problem there and see it for myself. > > On Dec 14, 2010, at 09:05, euromark wrote: > > > and you shouldnt use those templates for productive websites where > > users can input data or anything else for that matter > > you should escape plain text with h() > > > <?php echo h($category['Category']['id']); ?> > > Oh I know, I read your article. But I wanted to just ask one question at a > time. :) But that was going to be another question later: why aren't the > baked files better suited for real-world use? As a newcomer to CakePHP, I > assumed CakePHP would make the best default choices and give me something > that works that I just need to modify a little, but having to go through and > h() everything in every view, and having to implement 404 errors in every > controller, is tiresome and repetitive and exactly the kind of thing I would > have expected a framework to do for me. I'm an experienced PHP programmer so > I can see that these things steps are missing and need to be done, but I fear > many less-experienced PHP programmers will take CakePHP at its word and put > its baked files into production use. So, what's the deal with that? Have you > reported your observations from your article to the CakePHP developers, and > what have they said in response? Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
