[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Php why must your apps suck so?

Craig Thomas wrote:
On 10/24/07, Toshio Kuratomi <a badger gmail com> wrote:
And in answer to the subject, "Php why must your apps suck so?" the
unfortunate answer is that it's built into the language.  <?php $USERVAR
?> and <?php echo $USERVER ?> are inherently bad because they don't html
escape $USERVAR yet it is the method used by practically all php code to
output variables to the page.

Many Python web frameworks address this issue in the framework by
automatically html escaping any variable which is displayed in the
template.  Notably, kid and genshi (the template languages we're using
for our TG deployments) work this way.  PHP, on the other hand, makes
constant vigilance necessary.

Perhaps it's possible to help mitigate any non-escaped output by
developing (or using) whatever themes need to be developed for a
Drupal install using smarty ? quite a few of the themes do use smarty.

I just had a brief look at the smarty tutorial. It looks like it would help but it's not as safe as genshi. These two lines do mostly the same thing in genshi, smarty, and raw php:

  <div><?php echo htmlspecialchars($uservar) ?></div>

Since smarty is more cleanly separating the template from the code than raw php, it is easier to see when you are outputting your variables and add "|escape" to them. However, it is still possible to forget to add that command. (Looking at the smarty, tutorial, for instance, the authors only use escape in a single variable in a single template. All the other variables output would be unprotected.) Genshi's default of html escaping variables doesn't let you forget that you need to do this. If smarty has a way to change the default, then genshi and smarty would be on an equal footing here.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]