Jared Williams wrote:
-----Original Message-----
From: Stefan Walk [mailto:[EMAIL PROTECTED]
Sent: 23 March 2008 11:08
To: Jared Williams
Cc: 'PHP Internals'
Subject: Re: [PHP-DEV] short_open_tag
Jared Williams schrieb:
<ul>
<? foreach ($items as $item): ?>
<li><?=htmlspecialchars($item)?></li>
<? endforeach ?>
</ul>
Well, it's the same as the "but i can't validate my php
source with xmllint" folks: You're doing it at the wrong
point. Escaping should happen at the point where you assign
the var as a temlate var (in my small template class:
$tpl->assign('items', $some_data) will escape all "leaves" in
the data $some_data). This way you don't have to type it
everytime, you don't have to read it everytime and - best of
all - you can't forget to do it, so introducing a XSS
vulnerability is much less likely.
Regards,
Stefan
A lot of people don't use templates, just raw PHP. So having a short tag
escaping would decrease XSS vulnerabilities.
I don't understand why need to essentially duplicate all the variables just
to provide proper escaping.
This is what the filter extension is for. You should be working with
escaped data by default and only poke a hole in your data firewall in
the few places where you need to work with the raw data. Doing it the
other way around is going to lead to all sorts of security issues.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
