PHP - security etc

Aaron Trevena aaron.trevena at gmail.com
Thu Mar 8 20:10:05 GMT 2007


On 08/03/07, Aaron Trevena <aaron.trevena at gmail.com> wrote:
> On 07/03/07, Paul Makepeace <paulm at paulm.com> wrote:
> > The conclusion I got from
> > reading between lines on catalyst, templates, and london.pm is that
> > Perl just doesn't have decent HTML+template+escaping yet either.
>
>
> Depends what you want - if you only want to allow what you consider
> safe html, then it *is* trivial in TT, just pass a filtering sub to TT
> constructor, or use the HTML filter.

Actually, I think Paul's argument is a straw man, escaping is to do
with handling formats of data, so that is displayed correctly - XSS,
etc should be prevented at the point of entry, not at the last minute
before being displayed to the user when generating templated output.

So it's not a case of, HTML+template+escaping, it's a case of decent
validation, which means using stuff like Data::FormValidator in
combination with specialised filters for XSS, etc of which CPAN has
several.

So Paul is wrong on both counts - Templates + escaping (whether it's
HTML, XML or even LaTeX) is just dandy thanks, and XSS is also
managable using tools available on CPAN like XSS::Lint,
HTML::TagFilter, and XSS HTML::StripScripts packages.

I'm sure this myth about a vital missing feature has been debunked here already.

A.

-- 
http://www.aarontrevena.co.uk
LAMP System Integration, Development and Hosting


More information about the london.pm mailing list