PHP - security etc

Andy Armstrong andy at hexten.net
Wed Mar 7 20:49:18 GMT 2007


On 7 Mar 2007, at 20:35, David Dorward wrote:

> David Cantrell wrote:
>
>> Of course, one has to do the same when putting a web page together  
>> using
>> perl, don't you?
>
> Nope :)
>
> my $template_toolkit_config = {
>     INCLUDE_PATH => $data_path,
>     STASH => Template::Stash::EscapeHTML->new
> };

So in fact you /do/ have to know about escaping HTML? :)

I think that's the main issue here - regardless of the method they  
should use it just doesn't occur to many PHP developers that they  
need to do anything at all. Granted making HTML escaping the default  
might save them from /some/ problems but it's not a substitute for  
understanding why it's necessary in the first place.

Maybe the real problem is with HTML. If it wasn't so damn human  
readable and didn't render most literal text literally there'd be no  
problem. Binary HTML - that's what we need here.

-- 
Andy Armstrong, hexten.net



More information about the london.pm mailing list