PHP - security etc
Andy Armstrong
andy at hexten.net
Wed Mar 7 20:11:28 GMT 2007
On 7 Mar 2007, at 19:47, Aaron Crane wrote:
> But it's easy to imagine an HTML-oriented templating system which
> would default to HTML escaping, but would let individual templates
> disable the
> escaping for individual variables or globally, or would let a template
> choose a different default escaping. Using a TT-style syntax as a
> trial
> balloon:
>
> [% DEFAULT_FILTER html %]
>
> <p>Hello, [% name %].</p>[%# Implicitly HTML-escaped %]
>
> <a href="/?a=[% a |url %]">whatever</a>[%# Explicitly URL-escaped %]
>
> [% sanitised_html |NONE %][%# Explicitly not escaped at all %]
>
> The existence of that (even if 'html' were a _default_ default filter)
> wouldn't prevent someone setting the default filter to CSV, or
> JSON, or
> PostScript, or whatever's needed in any particular application.
Which would translate quite nicely into something like
<?php echo '<p>' ?> --> <p>
<?php:raw echo '<p>' ?> --> <p>
which would make the language nicer.
Given that the problems I see are things like this
<?php echo "<h1>$username</h1>" ?>
I'm still not convinced it mitigates the XSS problem.
--
Andy Armstrong, hexten.net
More information about the london.pm
mailing list