Php why must your apps suck so?
Toshio Kuratomi
a.badger at gmail.com
Fri Oct 26 20:08:24 UTC 2007
Craig Thomas wrote:
> On 10/24/07, Toshio Kuratomi <a.badger at gmail.com> wrote:
>> And in answer to the subject, "Php why must your apps suck so?" the
>> unfortunate answer is that it's built into the language. <?php $USERVAR
>> ?> and <?php echo $USERVER ?> are inherently bad because they don't html
>> escape $USERVAR yet it is the method used by practically all php code to
>> output variables to the page.
>>
>> Many Python web frameworks address this issue in the framework by
>> automatically html escaping any variable which is displayed in the
>> template. Notably, kid and genshi (the template languages we're using
>> for our TG deployments) work this way. PHP, on the other hand, makes
>> constant vigilance necessary.
>
> Perhaps it's possible to help mitigate any non-escaped output by
> developing (or using) whatever themes need to be developed for a
> Drupal install using smarty ? quite a few of the themes do use smarty.
>
I just had a brief look at the smarty tutorial. It looks like it would
help but it's not as safe as genshi. These two lines do mostly the same
thing in genshi, smarty, and raw php:
genshi:
<div>${uservar}</div>
smarty:
<div>${uservar|escape}</div>
php:
<div><?php echo htmlspecialchars($uservar) ?></div>
Since smarty is more cleanly separating the template from the code than
raw php, it is easier to see when you are outputting your variables and
add "|escape" to them. However, it is still possible to forget to add
that command. (Looking at the smarty, tutorial, for instance, the
authors only use escape in a single variable in a single template. All
the other variables output would be unprotected.) Genshi's default of
html escaping variables doesn't let you forget that you need to do this.
If smarty has a way to change the default, then genshi and smarty
would be on an equal footing here.
-Toshio
More information about the Fedora-infrastructure-list
mailing list