Re: A better XSS trap (Feedback wanted)
- From: Christopher Vogt <christopher.vogt@xxxxxxxxxxxxxx>
- Date: Sat, 13 Sep 2008 19:55:23 +0200
Hej Egbert,
In my eyes it is
better to always be forced to choose the right filter depending on the
context and for example html, urls or javascript are different contexts
that require different filters.
I think you're right there. Maybe I'll have to change some of that.
I think it is partly a question of taste. I am following the
perfectionists path here. But automatically applying htmlentities to
everything by default (but with a by-pass option) also has an advantage.
It makes template code shorter, which is also nice.
About template lanugages:
Mostly because of control structures. [...] Wrapping them
into curly or angular braces makes the whole thing a much nicer read,
and easier to understand for non-programmers (doing the HTML design).
To my experience, it is a big difference for some.
But it's really a matter of taste;
I agree, in the end it comes down to a question of taste and psychology.
I personally stick to PHP only, because the I gain of a template engine
is smaller than the effort for setup, compilation and learning a new
language. And I disagree with your statement on the mplate website,
compared to plain PHP, mplate IS another language and a new way of
working, even if it is closer to PHP.
However, I also use Smarty in one project for quite some years now.
Mainly because of it's security feature. The project is sort of a web
service, where the clients can provide arbitrary presentation logic
using smarty templates. It started before the common web service
standards became really popular or at least known to me. I was a lot
less experienced at that time. Our biggest Problem throughout all time
was that people didn't know the Smarty syntax and having to learn it was
a barrier. So another reason why I like PHP only templates is that PHP
is well known and well documented.
After some thought: does your approach also allow objects to be
filtered? this would possibly be a whole bit more complicated, with
method call return values and magic/non-magic properties, etc..
Yes, objects are also wrapped dynamically and recursively using magic
methods. So are arrays using the ArrayAccess interface. Accessing
anything inside them returns a decorated value. Read the examples in the
SVN, it's all in there :). Browse the SVN from the google code page if
you want. (And yes it was a "whole bit more complicated" to implement
;), but I wanted a comprehensive solution and SPL helped a lot).
One oddity for objects is, that since they are wrapped by decorating
objects, using methods or operators like "instanceof" on the outer
objects does not work as expected, at least if you expect equivalent
results. I didn't like that at first. But in a way it makes sense, as
the wrapping object controls all access to the wrapped object, even to
the type information. So as with strings, anytime the REAL value is
needed, ->raw() is the answer.
/Christopher
.
- References:
- Re: A better XSS trap (Feedback wanted)
- From: Egbert Teeselink
- Re: A better XSS trap (Feedback wanted)
- From: Christopher Vogt
- Re: A better XSS trap (Feedback wanted)
- From: Egbert Teeselink
- Re: A better XSS trap (Feedback wanted)
- Prev by Date: Re: PHP mt_srand no longer seeds same number!!!!! aaarrrg
- Next by Date: What is wrong?
- Previous by thread: Re: A better XSS trap (Feedback wanted)
- Next by thread: PDO Prepared Statements and WHERE .. IN
- Index(es):
Relevant Pages
|
