On 06-01-2009 at 11:46:58 Alister Cameron <alister.came...@cameroncreative.com> 

Excuse my ignorance, Kornel.
Can you elaborate on what you mean by "not secure"?

I use structure a fair bit to return, say, a fully formatted anchor tag.
That DOES have the < character in it.

Sorry, I wasn't clear. I had in mind "<" character that is not supposed to be a 
part of markup.

How is this not secure?

If you've ensured that it's well-formed and all user-supplied data in it has been filtered/escaped properly, then it is secure.
My point is that where structure keyword used, PHPTAL will blindly pass through 
anything, so securing output becomes your responsibility.

regards, Kornel

PHPTAL mailing list

Reply via email to