PHP - security etc
Andy Armstrong
andy at hexten.net
Wed Mar 7 20:49:18 GMT 2007
On 7 Mar 2007, at 20:35, David Dorward wrote:
> David Cantrell wrote:
>
>> Of course, one has to do the same when putting a web page together
>> using
>> perl, don't you?
>
> Nope :)
>
> my $template_toolkit_config = {
> INCLUDE_PATH => $data_path,
> STASH => Template::Stash::EscapeHTML->new
> };
So in fact you /do/ have to know about escaping HTML? :)
I think that's the main issue here - regardless of the method they
should use it just doesn't occur to many PHP developers that they
need to do anything at all. Granted making HTML escaping the default
might save them from /some/ problems but it's not a substitute for
understanding why it's necessary in the first place.
Maybe the real problem is with HTML. If it wasn't so damn human
readable and didn't render most literal text literally there'd be no
problem. Binary HTML - that's what we need here.
--
Andy Armstrong, hexten.net
More information about the london.pm
mailing list