PHP - security etc
dom at happygiraffe.net
Fri Mar 9 08:42:41 GMT 2007
Simon Wilcox wrote:
> On Thu, 8 Mar 2007, Dominic Mitchell wrote:
>> Mason works great for me:
>> % $foo = "<b>@</b>";
>> <% $foo %> # <b>@</b>
>> <% $foo |n %> # <b>@</b>
> And what does this output ?
> % $input = "<blink>I rulez</blink>"; # or a cgi param :-)
> % $foo = "<b>$input</b>";
> <% $foo %> #
> <% $foo |n %> #
> I don't think either is what you want, which is
> <b><blink>I rulez</blink></b>
> So you still have to deal with escaping html by hand. Or am I wrong here ?
Well if you do it that convoluted manner, yes you do have to deal with
it by hand. Stop doing that.
% $input = "<blink>I rulez</blink>"; # or a cgi param :-)
<b><% $input %></b>
Which is, I believe, the way Mason was intended to be used. I mean if
you want PHP, you know where it is. :-)
More information about the london.pm