If I'm reading the changeset correctly, CSRF protection and output escaping are both disabled by default and the "bc" escaping strategy has been removed.
On the one hand it makes sense to remove BC considerations 1.0 is bound to for the 1.1 release. On the other hand Francois makes a good point about the compatibility of plugins with different escaping strategies. Is there a method of accessing the varHolder that is consistent across all escaping strategies in 1.1? If so, the best practice would be for plugin devs to use that method, right? If not ... plugins would have escaping strategy dependencies, which would be a nightmare. That consideration aside, I personally like the changeset. Thanks for all your great work, Kris On Apr 2, 6:21 am, "Francois Zaninotto" <[EMAIL PROTECTED] project.com> wrote: > Devs, > > From what I understand, r8201 sets the default escaping to 'off'. And either > I don't fully understand it, or it will break a lot of applications with no > possibility to upgrade, and for several reasons: > > - Some plugins use $sf_data->getRaw() in templates to deal with escaping > properly when required. But with escaping set to off by default, $sf_data > doesn't exist, does it? So these plugins will break. And this will force > plugin writers to review their code entirely to make it work in both cases > (either by detecting escaping before every escape, or by providing two > versions of the plugins). This is such a lot of work that I'm pretty sure > many developers will not do it, reducing the number of 1.1 compatible > plugins drastically. > > - Applications that currently rely on 'bc' will get an exception when > upgrading. Now, if they do want to use some pieces of code with escaping, > they will have no choice but to switch to 'both', and that will probably > break their applications in a lot of places with no easy upgrade path. > > So my question is: Is the purpose of improved security a good enough reason > to make the upgrade to 1.1 much harder? > > François --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
