PHP - security etc

Andy Armstrong andy at hexten.net
Wed Mar 7 20:11:28 GMT 2007


On 7 Mar 2007, at 19:47, Aaron Crane wrote:
> But it's easy to imagine an HTML-oriented templating system which
> would default to HTML escaping, but would let individual templates  
> disable the
> escaping for individual variables or globally, or would let a template
> choose a different default escaping.  Using a TT-style syntax as a  
> trial
> balloon:
>
>   [% DEFAULT_FILTER html %]
>
>   <p>Hello, [% name %].</p>[%# Implicitly HTML-escaped %]
>
>   <a href="/?a=[% a |url %]">whatever</a>[%# Explicitly URL-escaped %]
>
>   [% sanitised_html |NONE %][%# Explicitly not escaped at all %]
>
> The existence of that (even if 'html' were a _default_ default filter)
> wouldn't prevent someone setting the default filter to CSV, or  
> JSON, or
> PostScript, or whatever's needed in any particular application.

Which would translate quite nicely into something like

<?php echo '<p>' ?>		-->	&lt;p&gt;
<?php:raw echo '<p>' ?>		-->	<p>

which would make the language nicer.

Given that the problems I see are things like this

<?php echo "<h1>$username</h1>" ?>

I'm still not convinced it mitigates the XSS problem.

-- 
Andy Armstrong, hexten.net



More information about the london.pm mailing list