-- Ondrej Ivanič <[email protected]> wrote (on Wednesday, 15 July 2009, 10:09 AM +1000): > On Wed, Jul 15, 2009 at 2:39 AM, Matthew Weier > O'Phinney<[email protected]> wrote: > > > > Within your view, you, the developer, know your context, so it's up to > > you to define the escaping mechanism. We're just going to provide a sane > > default for the 80/20 use case. > > > > 80/20 is a nice rule but not for security. I went through this way few > years ago and as you mention it was so convenient to don't care in 80% > of cases but the rest was pain in the ass. The setEscape() method > doesn't help too much when you have to mix css/js/html code in a > single phtml file.
Why are you mixing them into a single file? Why not have separate files for separate types of code? This simplifies the story for escaping, allows you to run linters specific to the markup and/or language, and allows you to factor out things like CSS and JS to your presentation layer (where, arguably, it belongs -- *not* in your view scripts). > I believe that first set of message to this list will ask questions like this: > - how to to turn of automatic escaping > - why my Javascript doesn't work > ... > > Finally, proposed solution seems to be the best one, with the current > Zend_View design, but it's wrong to thing that you rise level of > security in your application; the level is still same as a before. We can provide tools for the developer -- it's up to the developer to use them properly. Again, the 80% use case for view scripts is HTML, so autoescaping using htmlentities or htmlspecialchars is the appropriate approach. As you say, though, if your view scripts are generating other languages (JS) or markup (CSS), you *will* need other approaches. That said -- and I mentioned this earlier -- if you're doing that, you may be needing to look at your architecture slightly differently. (Though creating JSON in a view script I *do* think is a good tactic -- but Zend_Json and json_encode() are your friends there anyways.) -- Matthew Weier O'Phinney Project Lead | [email protected] Zend Framework | http://framework.zend.com/
