Hi
> fixing that...), but I will note: Starting with 2.0, escaping will be
> the default when retrieving variables from the view object, and you will
> need to request the raw value explicitly if you need it. This is a
Thats sounds like a ZF version of magic_quotes... How do you want to
deal with different escaping in javascript, css, html, xml? View
script could be mix of anything i.e:
<?php $this->var = '1/2"' ?>
<p onclick="alert("<?php echo $this->var; ?>")"><?php echo
$this->var; ?></p>
<script>
document.title = "<?php echo $this->var; ?>"
</script>
and the correct output is:
<p onclick="alert("1\/2\"")">1/2"</p>
<script>
document.title = "1\/2\"";
</script>
For a proper automatic escaping you need an information about context
which is very hard (impossible) to get now...
html: htmlspecialchars($s, ENT_QUOTES)
xml: htmlspecialchars(preg_replace('#[\x00-\x08\x0B\x0C\x0E-\x1F]+#',
'', $s), ENT_QUOTES)
css: addcslashes($s, "\x00..\x2C./:;<=>?...@[\\]^`{|}~")
ccs inside html attributes: htmlspecialchars(addcslashes($s,
"\x00..\x2C./:;<=>?...@[\\]^`{|}~"), ENT_QUOTES)
javascript: json_encode($s)
js inside html attributes: htmlspecialchars(json_encode($s), ENT_QUOTES);
--
Ondrej Ivanic
([email protected])
