On Mon, Nov 3, 2008 at 5:52 PM, Owen Winkler <[EMAIL PROTECTED]> wrote: > How would everyone feel about sanitizing handler_vars and g/p/c by > default, and forcing code to use handler_vars_unsafe and > $_(GET|POST|COOKIES)_UNSAFE[] if they want the raw values?
I like it. And putting through a method for the unsafe sounds good. I would prefer if the g/p/rr were separate arrays too. > Also, a similar approach could be taken in any instance where we push > data around, like in Theme. Any value assigned as a string to the theme > could be converted into a new String class instance, which would default > to output filtered, but could be retrieved raw: > > // Converts the incoming native string into a String instance: > $theme->foo = '<script'; > > // In the template: > echo $foo; // Outputs the filtered value: '' > echo $foo->unsafe(); // Outputs the raw value: '<script' > echo $foo->html(); // Outputs < as > : '>script' > echo $foo->encode(); // Output URL encodes: '%3cscript' I really like this. And wrapping the mb_string functions in would make it even better. -- Matt Read http://mattread.com --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/habari-dev -~----------~----~----~----~------~----~------~--~---
