On Jan 23, 2008, at 3:56 PM, Cliff Hirsch wrote:
On 1/23/08 3:44 PM, "John Campbell" <[EMAIL PROTECTED]> wrote:
I just discovered smarty has default modifiers:
http://www.smarty.net/manual/en/variable.default.modifiers.php
Smarty does have an override: {$var|smarty:nodefaults} to cover the
exceptions.
That's right... I remember seeing something similar in another
templating system and thought it was probably a good idea. I guess it
will probably end up escaping more data than it has to... but it might
save you from user error leading to xss attacks. I always wondered
how much of a blip in the radar all the escaping does to the server
and if it would be worth caching some things in their escaped state.
On Jan 23, 2008, at 5:40 PM, Cliff Hirsch wrote:
I wonder what the default order is for the default escape -- first
or last.
It's got to be first... but I guess I'd have to test to be sure.
On Jan 23, 2008, at 2:50 PM, Cliff Hirsch wrote:
On 1/23/08 2:33 PM, "Rob Marscher" <[EMAIL PROTECTED]> wrote:
I decided that the view/template has to be responsible for escaping.
I can't see how it can't be a mix. What if your variable
intentionally has markup? Some content may allow, and intentionally
have, simple markup like <b>, <ul/li>, <br> etc. Escaping this
variable in the template would not be a good thing.
Yeah, I meant that it would be a mix and the template would know to
not escape (or to unescape with the nodefault modifier in the Smarty
example above) variables that contain markup. Probably a good idea to
employ some type of naming scheme for those variables and make sure
they are filtered when they coming from user input.
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
