On 09-01-2009 at 00:47:29 Iván -DrSlump- Montes <drsl...@pollinimini.net> wrote:
As for people being able to inject JS code, I guess they mean that a
commenter can put JS in a comment. However, in that case, the
responsability for cleaning any XSS or any other form of script injection is the "input
filter" which has nothing to do with a template engine, it's a completely
diferent sub-system and if WP relies on 'output escaping' to do that job
that seems a really smelly design.
I disagree. There's nothing wrong with allowing someone to write comment like <script>alert('xss')</script>. I just did that! I hope your e-mail client didn't execute the code, and didn't remove it either.
That's why automatic escaping in PHPTAL is such an important feature - allows
you to safely and losslessly output any* text.
*) as long as character encoding is correct. That one I think is job of input
PHPTAL mailing list