PHP - security etc

Fri Mar 9 08:42:41 GMT 2007

Simon Wilcox wrote:
> On Thu, 8 Mar 2007, Dominic Mitchell wrote:
> 
>> Mason works great for me:
>>
>>   % $foo = "<b>@</b>";
>>   <% $foo %>            # &lt;b&gt;@&lt;/b&gt;
>>   <% $foo |n %>         # <b>@</b>
> 
> And what does this output ?
> 
>    % $input = "<blink>I rulez</blink>"; # or a cgi param :-)
>    % $foo = "<b>$input</b>";
>    <% $foo %>            #
>    <% $foo |n %>         #
> 
> I don't think either is what you want, which is
> 
> <b>&lt;blink&gt;I rulez&lt;/blink&gt;</b>
> 
> So you still have to deal with escaping html by hand. Or am I wrong here ?

Well if you do it that convoluted manner, yes you do have to deal with 
it by hand.  Stop doing that.

   % $input = "<blink>I rulez</blink>"; # or a cgi param :-)
   <b><% $input %></b>

Which is, I believe, the way Mason was intended to be used.  I mean if 
you want PHP, you know where it is.  :-)

-Dom