Craig Thomas wrote:
On 10/24/07, Toshio Kuratomi <a.badger@xxxxxxxxx> wrote:
And in answer to the subject, "Php why must your apps suck so?" the
unfortunate answer is that it's built into the language. <?php $USERVAR
?> and <?php echo $USERVER ?> are inherently bad because they don't html
escape $USERVAR yet it is the method used by practically all php code to
output variables to the page.
Many Python web frameworks address this issue in the framework by
automatically html escaping any variable which is displayed in the
template. Notably, kid and genshi (the template languages we're using
for our TG deployments) work this way. PHP, on the other hand, makes
constant vigilance necessary.
Perhaps it's possible to help mitigate any non-escaped output by
developing (or using) whatever themes need to be developed for a
Drupal install using smarty ? quite a few of the themes do use smarty.
I just had a brief look at the smarty tutorial. It looks like it would
help but it's not as safe as genshi. These two lines do mostly the same
thing in genshi, smarty, and raw php:
genshi:
<div>${uservar}</div>
smarty:
<div>${uservar|escape}</div>
php:
<div><?php echo htmlspecialchars($uservar) ?></div>
Since smarty is more cleanly separating the template from the code than
raw php, it is easier to see when you are outputting your variables and
add "|escape" to them. However, it is still possible to forget to add
that command. (Looking at the smarty, tutorial, for instance, the
authors only use escape in a single variable in a single template. All
the other variables output would be unprotected.) Genshi's default of
html escaping variables doesn't let you forget that you need to do this.
If smarty has a way to change the default, then genshi and smarty
would be on an equal footing here.
-Toshio
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
