PHP - security etc

Andy Armstrong andy at
Wed Mar 7 20:49:18 GMT 2007

On 7 Mar 2007, at 20:35, David Dorward wrote:

> David Cantrell wrote:
>> Of course, one has to do the same when putting a web page together  
>> using
>> perl, don't you?
> Nope :)
> my $template_toolkit_config = {
>     INCLUDE_PATH => $data_path,
>     STASH => Template::Stash::EscapeHTML->new
> };

So in fact you /do/ have to know about escaping HTML? :)

I think that's the main issue here - regardless of the method they  
should use it just doesn't occur to many PHP developers that they  
need to do anything at all. Granted making HTML escaping the default  
might save them from /some/ problems but it's not a substitute for  
understanding why it's necessary in the first place.

Maybe the real problem is with HTML. If it wasn't so damn human  
readable and didn't render most literal text literally there'd be no  
problem. Binary HTML - that's what we need here.

Andy Armstrong,

More information about the mailing list