On 09-01-2009 at 00:47:29 Iván -DrSlump- Montes <drsl...@pollinimini.net> wrote:

As for people being able to inject JS code, I guess they mean that a
commenter can put JS in a comment. However, in that case, the responsability for cleaning any XSS or any other form of script injection is the "input
filter" which has nothing to do with a template engine, it's a completely
diferent sub-system and if WP relies on 'output escaping' to do that job
that seems a really smelly design.

I disagree. There's nothing wrong with allowing someone to write comment like <script>alert('xss')</script>. I just did that! I hope your e-mail client didn't execute the code, and didn't remove it either.
That's why automatic escaping in PHPTAL is such an important feature - allows 
you to safely and losslessly output any* text.

*) as long as character encoding is correct. That one I think is job of input 

regards, Kornel

PHPTAL mailing list

Reply via email to