On 10/26/07, Toshio Kuratomi <a.badger@xxxxxxxxx> wrote: > Craig Thomas wrote: > > On 10/24/07, Toshio Kuratomi <a.badger@xxxxxxxxx> wrote: > >> And in answer to the subject, "Php why must your apps suck so?" the > >> unfortunate answer is that it's built into the language. <?php $USERVAR > >> ?> and <?php echo $USERVER ?> are inherently bad because they don't html > >> escape $USERVAR yet it is the method used by practically all php code to > >> output variables to the page. > >> > >> Many Python web frameworks address this issue in the framework by > >> automatically html escaping any variable which is displayed in the > >> template. Notably, kid and genshi (the template languages we're using > >> for our TG deployments) work this way. PHP, on the other hand, makes > >> constant vigilance necessary. > > > > Perhaps it's possible to help mitigate any non-escaped output by > > developing (or using) whatever themes need to be developed for a > > Drupal install using smarty ? quite a few of the themes do use smarty. > > > I just had a brief look at the smarty tutorial. It looks like it would > help but it's not as safe as genshi. These two lines do mostly the same > thing in genshi, smarty, and raw php: > > genshi: > <div>${uservar}</div> > smarty: > <div>${uservar|escape}</div> > php: > <div><?php echo htmlspecialchars($uservar) ?></div> > > Since smarty is more cleanly separating the template from the code than > raw php, it is easier to see when you are outputting your variables and > add "|escape" to them. However, it is still possible to forget to add > that command. (Looking at the smarty, tutorial, for instance, the > authors only use escape in a single variable in a single template. All > the other variables output would be unprotected.) Genshi's default of > html escaping variables doesn't let you forget that you need to do this. > If smarty has a way to change the default, then genshi and smarty > would be on an equal footing here. It is possible to change the default behavior. $smarty->default_modifiers = array('escape:"htmlall"'). -- Craig > > -Toshio > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list