Does this not then mean that the use of "structure" is something to be very
very careful with?
When I pull stuff in from WordPress I often need to use it because rather
than pulling in very "granular" data, I pull in a pre-formatted chunk of
HTML code -- perhaps a link (complete A tag, etc)...
If I was being pedantic about it -- and I'd like to be in the future -- I'd
go deeper into WordPress and pull out the components and build the A tag in
the template, thus not needing to use "structure".
The only way to avoid "structure" is to be sure that no tag markup needs to
be output, and in WordPress that's hard to do because so many of the
functions that are normally used in WordPress do just that -- they output
markup, not just data.
And that points to a big problem in WordPress for developers: there is no
real MVC structure, and no proper "presentation layer"... exactly what I'm
trying to do...
Thanks all :)
2009/1/9 Iván -DrSlump- Montes <drsl...@pollinimini.net>
> On Fri, Jan 9, 2009 at 11:35 AM, Kornel Lesiński <
> kor...@aardvarkmedia.co.uk> wrote:
>> I disagree. There's nothing wrong with allowing someone to write comment
>> like <script>alert('xss')</script>. I just did that! I hope your e-mail
>> client didn't execute the code, and didn't remove it either.
>> That's why automatic escaping in PHPTAL is such an important feature -
>> allows you to safely and losslessly output any* text.
> Right, I didn't made myself clear. I was meaning that if a system allows
> HTML input but wants to block some tags like <script> from being used, from
> my point of view, those tags should be stripped/sanitized at the input
> filter stage and not when outputting the data, mainly for perfomance issues.
> PHPTAL mailing list
Cameron Creative Pty Ltd
Creative, Strategic, Innovative... never boring!
PHPTAL mailing list