At 7:02 PM -0500 1/10/09, Phpster wrote:
That can and should be done with a simple str_replace() on the
display portion of the code.
Bastien
Really?
Then how do you handle these examples of client input?
This is <b<what</b> I have to say.
This is <i><b>what</i></b> I have to say.
This is <b>what<b> I have to say.
This is <b>what /> I have to say.
This is what</b> I have to say.
And I could go on with even more examples. The point is that when you
allow the client to inject style elements into data, then things can
go wrong on several fronts.
One, of course is that the client can inject malformed code, which
can screw up the page.
Two, by allowing the client to do inject styling elements, then you
are not keeping style and date elements separate. That is counter to
"best practices".
For example, what happens at some later date when the client wants to
change how the data looks? The client says "You told me that you were
using css -- I thought it was easy to change things. Why can't you
remove all these bold statements?"
Of course, you could go to the css file and make bold not bold but
then what happens when you need bold? This problem not as simple as
using str_replace().
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php