PHP - security etc

Tim Sweetman ti at
Wed Mar 7 21:14:53 GMT 2007

Andy Armstrong wrote:

> On 7 Mar 2007, at 20:35, David Dorward wrote:
>> David Cantrell wrote:
>>> Of course, one has to do the same when putting a web page together  
>>> using
>>> perl, don't you?
>> Nope :)
>> my $template_toolkit_config = {
>>     INCLUDE_PATH => $data_path,
>>     STASH => Template::Stash::EscapeHTML->new
>> };
> So in fact you /do/ have to know about escaping HTML? :)
> I think that's the main issue here - regardless of the method they  
> should use it just doesn't occur to many PHP developers that they  
> need to do anything at all. Granted making HTML escaping the default  
> might save them from /some/ problems but it's not a substitute for  
> understanding why it's necessary in the first place.

The natural tendency will be to use the default thing, whether from 
inexperience, carelessness, or trying to do fifteen other things at 
once. If the default thing puts escaping on, then your markup doesn't 
work. This is immediately (or almost immediately) evident, and gets fixed.

If the default thing puts escaping off, nothing happens for ages, until 
your work is live, and then it gets pwn3d.

Escaping on by default is the right behaviour for templating systems for 
web apps.


More information about the mailing list