I think that good security is about automation. Think about XSS protection implementation in symfony. You enable output escaping in your settings.yml file and you're protected by default. Sure, it induces some processing overhead, but if you have to wrap every variable output with htmlentities(), you will miss some and your templates will just look horrible.
I try to apply the same principle for CSRF protection. Just install the plugin, enable the filter in filters.yml and you're secure by default. With a helper, you have to manually change every form tag you may have in your templates. Sure, it will thrown an exception if you miss one, but for very large/"legacy" applications, it can be very time consuming. Oh, and if you really want, you can split the filter to use only the check part and add the token by hand to your forms. The plugin is really simple, so it's up to you to use it the way you want. That's the beauty of Open-Source ;-) To conclude, you can use the plugin as is or look at the implementation to reuse it the way you want, BUT now, you will have no excuse to not implement some kind of CSRF protection in your code... Anyway, thanks for your comments, I think it's good to talk about security and how to implement it. Security is one of the main goal for symfony and I really want to provide all the tools to protect symfony application from the most common attacks. Fabien Matthias Nothhaft wrote: > Fabien POTENCIER wrote: >> Hi all, >> >> A quick note to introduce my newest plugin. >> >> The sfCSRFPlugin provides protection against Cross Site Request Forgeries. >> >> As always, the source code is available in the symfony repository, and >> you can check its wiki page at >> http://trac.symfony-project.com/trac/wiki/sfCSRFPlugin > > This is a good idea. But I think it would be much better to provide a > hook (observer or something like that) with form_tag() helper to add > arbitrary tags right after the form tag. > > IMHO those preg / replace things consume memory while it is not > necessary..!? > > Anyway.. nice plugin. ;-) > > Regards, > Matthias > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en -~----------~----~----~----~------~----~------~--~---
