[nycphp-talk] Templating engines
Rob Marscher
rmarscher at beaffinitive.com
Thu Jan 24 02:17:23 EST 2008
On Jan 23, 2008, at 3:56 PM, Cliff Hirsch wrote:
> On 1/23/08 3:44 PM, "John Campbell" <jcampbell1 at gmail.com> wrote:
>> I just discovered smarty has default modifiers:
>> http://www.smarty.net/manual/en/variable.default.modifiers.php
> Smarty does have an override: {$var|smarty:nodefaults} to cover the
> exceptions.
That's right... I remember seeing something similar in another
templating system and thought it was probably a good idea. I guess it
will probably end up escaping more data than it has to... but it might
save you from user error leading to xss attacks. I always wondered
how much of a blip in the radar all the escaping does to the server
and if it would be worth caching some things in their escaped state.
On Jan 23, 2008, at 5:40 PM, Cliff Hirsch wrote:
> I wonder what the default order is for the default escape -- first
> or last.
It's got to be first... but I guess I'd have to test to be sure.
On Jan 23, 2008, at 2:50 PM, Cliff Hirsch wrote:
> On 1/23/08 2:33 PM, "Rob Marscher" <rmarscher at beaffinitive.com> wrote:
>> I decided that the view/template has to be responsible for escaping.
> I can't see how it can't be a mix. What if your variable
> intentionally has markup? Some content may allow, and intentionally
> have, simple markup like <b>, <ul/li>, <br> etc. Escaping this
> variable in the template would not be a good thing.
Yeah, I meant that it would be a mix and the template would know to
not escape (or to unescape with the nodefault modifier in the Smarty
example above) variables that contain markup. Probably a good idea to
employ some type of naming scheme for those variables and make sure
they are filtered when they coming from user input.
More information about the talk
mailing list