Matt Read wrote: > > If you think everything I said was crap, or have something to add, > please speak up :)
I think these are all important considerations. I think we should make it easier for developers to do good things by default in regard to these ideas. For example... How would everyone feel about sanitizing handler_vars and g/p/c by default, and forcing code to use handler_vars_unsafe and $_(GET|POST|COOKIES)_UNSAFE[] if they want the raw values? This would make at least this single aspect easier to audit. Also, a similar approach could be taken in any instance where we push data around, like in Theme. Any value assigned as a string to the theme could be converted into a new String class instance, which would default to output filtered, but could be retrieved raw: // Converts the incoming native string into a String instance: $theme->foo = '<script'; // In the template: echo $foo; // Outputs the filtered value: '' echo $foo->unsafe(); // Outputs the raw value: '<script' echo $foo->html(); // Outputs < as > : '>script' echo $foo->encode(); // Output URL encodes: '%3cscript' Owen --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/habari-dev -~----------~----~----~----~------~----~------~--~---
