Hei!
On Wed, 4 Jul 2007, Kore Nordmann wrote:
> Besides feeling safe because of the output contextes in the template
> engine there are still several possibilities to bypass this mechanism,
> when values are echo'ed in the wrong place and you can introduce XSS
> vulnerabilities in your application.
[snip example]
> So what is the purpose of this mail?
>
> We should probably add a section about XSS preventing, the additional
> possible output contextes inside XHTML markup and fighting those XSS to
> the tutorial. In this case some call to good old addslashes() would help
> for example, which you don't want for "normal" XHTML.
>
> Or perhaps even someone can come up with a better solution for this,
> then just documenting it. Perhaps manual usage of different output
> contextes in one template, like:
>
> {context( $input, 'JavaScript' )}
I think both of those have a merit - I actually think your second idea
is even more elegant as you won't have to deal with all the different
escaping methods yourself. Could you file a task for the first thing,
and an enhancement for the second?
regards,
Derick
--
Components mailing list
[email protected]
http://lists.ez.no/mailman/listinfo/components
