|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
jbeninger Smarty n00b
Joined: 15 Apr 2006 Posts: 2
|
Posted: Sat Apr 15, 2006 7:18 pm Post subject: Auto-escape for more security |
|
|
I'd like to suggest an auto-escape option for smarty. This feature would automatically call htmlspecialchars() on the results of {variables and functions} unless the |noescape modifier appears as the final modifier. This wouldn't be enabled by default, but could prove a very useful feature:
- As lead developer in a team of people with varying backgrounds and skills, I'd rather not look through everyone's code to make sure everything's escaped. If people were forced to explicitely request non-escaped code, it would make the development process more secure.
- It's also a bit easier on the coders, since they don't have to sprinkle |escape throughout their code.
Now before you bring up the problems and tell me why this won't work, I've thought it through and realize this isn't as easy as it sounds. Off the top of my head:
- Many functions return html code, which we certainly do *not* want escaped. Perhaps only variables, expressions, and modifiers - or only variables and expressions - should be auto-escaped.
- It requires a special modifier - "noescape" - which the smarty engine itself would have to be aware of (ie - it wouldn't really be a "modifier" that could be called generically like other modifiers.
Basically, I just wanted to start a discussion on this option, since I believe that it would be a worthwhile feature to have, and would certainly act to improve security. |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
|
Back to top |
|
jbeninger Smarty n00b
Joined: 15 Apr 2006 Posts: 2
|
Posted: Sun Apr 16, 2006 3:13 pm Post subject: Dagnabbit |
|
|
That's exactly the solution I was looking for. I'd checked the forums, but apparently not hard enough.
Thanks a lot. |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|