Php why must your apps suck so?

Craig Thomas bicycle.nutz at gmail.com
Fri Oct 26 20:43:34 UTC 2007 

On 10/26/07, Toshio Kuratomi <a.badger at gmail.com> wrote:
> Craig Thomas wrote:
> > On 10/24/07, Toshio Kuratomi <a.badger at gmail.com> wrote:
> >> And in answer to the subject, "Php why must your apps suck so?" the
> >> unfortunate answer is that it's built into the language.  <?php $USERVAR
> >> ?> and <?php echo $USERVER ?> are inherently bad because they don't html
> >> escape $USERVAR yet it is the method used by practically all php code to
> >> output variables to the page.
> >>
> >> Many Python web frameworks address this issue in the framework by
> >> automatically html escaping any variable which is displayed in the
> >> template.  Notably, kid and genshi (the template languages we're using
> >> for our TG deployments) work this way.  PHP, on the other hand, makes
> >> constant vigilance necessary.
> >
> > Perhaps it's possible to help mitigate any non-escaped output by
> > developing (or using) whatever themes need to be developed for a
> > Drupal install using smarty ? quite a few of the themes do use smarty.
> >
> I just had a brief look at the smarty tutorial.  It looks like it would
> help but it's not as safe as genshi.  These two lines do mostly the same
> thing in genshi, smarty, and raw php:
>
> genshi:
>    <div>${uservar}</div>
> smarty:
>    <div>${uservar|escape}</div>
> php:
>    <div><?php echo htmlspecialchars($uservar) ?></div>
>
> Since smarty is more cleanly separating the template from the code than
> raw php, it is easier to see when you are outputting your variables and
> add "|escape" to them.  However, it is still possible to forget to add
> that command.  (Looking at the smarty, tutorial, for instance, the
> authors only use escape in a single variable in a single template.  All
> the other variables output would be unprotected.)  Genshi's default of
> html escaping variables doesn't let you forget that you need to do this.
>   If smarty has a way to change the default, then genshi and smarty
> would be on an equal footing here.

It is possible to change the default behavior.

$smarty->default_modifiers = array('escape:"htmlall"').

--
Craig

>
> -Toshio
>
> _______________________________________________
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
>

More information about the infrastructure mailing list