|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
douglassdavis Smarty Junkie
Joined: 21 Jan 2008 Posts: 541
|
Posted: Wed Mar 02, 2011 6:01 pm Post subject: Auto-HTML-escaping variables |
|
|
From http://www.smarty.net/forums/viewtopic.php?t=18926&highlight=
mohrt wrote: | It is easy to selectively HTML-escape template variables with the {$foo|escape} modifier. However, sometimes it is advantageous to have everything assigned to Smarty automatically HTML-escaped to reduce the risks of XSS (cross-site scripting) vulnerabilities.
Smarty currently does not do this out of the box, nor does it offer a flag to enable this, but it is quite trivial to implement with a variable filter. Here is how it is done:
First, somewhere in your code make a function to do the escapement:
Code: | function escFilter($content,$smarty) {
return htmlspecialchars($content,ENT_QUOTES,UTF-8);
} |
Now register the variable filter with Smarty:
Code: | $smarty->registerFilter('variable','escFilter'); |
Now any variable assigned to Smarty will be HTML escaped:
PHP:
Code: | $smarty->assign('foo','This is <some> content'); |
Template:
Output:
Code: | This is <some> content |
You can also selectively "unescape" variables by skipping the filter:
Template:
Code: | {$foo} {* this gets filtered *}
{$foo nofilter} {* this does not *} |
Output:
Code: | This is <some> content
This is <some> content |
|
It would be nice if this was part of the language, and we could use existing filters rather than creating a new function. Also, it would be nice if it only applied to one file (like putting this at the top of the file):
{set_filter 'escape'}
or this, if it is possible:
{set_filter escape:'javascript'}
This is especially good if you sometimes include smarty files that some one else created or from some library, or if you just don't want to change all files to use one escaping strategy. In all of those cases setting a variable filter used for all templates is impractical.
Also, I'm assuming if there is a variable filter set with
Code: |
$smarty->registerFilter('variable','escFilter');
|
and I want to use a javascript escape instead that this would work:
Code: |
{$foo|escape:'javascript' nofilter}
|
Last edited by douglassdavis on Wed Mar 02, 2011 6:32 pm; edited 1 time in total |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Wed Mar 02, 2011 6:08 pm Post subject: |
|
|
We do have some ideas in mind to make some of this part of the language. As for:
{set_filter 'escape'}
and
{set_filter escape:'javascript'}
you can implement these things already with custom functions. The first would call $smart->registerFilter() for you. the second you adjust your filter/plugin to handle an additional parameter.
{set_filter "escape" "javascript"} |
|
Back to top |
|
douglassdavis Smarty Junkie
Joined: 21 Jan 2008 Posts: 541
|
Posted: Wed Mar 02, 2011 6:32 pm Post subject: |
|
|
mohrt wrote: | We do have some ideas in mind to make some of this part of the language. As for:
{set_filter 'escape'}
and
{set_filter escape:'javascript'}
you can implement these things already with custom functions. The first would call $smart->registerFilter() for you. the second you adjust your filter/plugin to handle an additional parameter.
{set_filter "escape" "javascript"} |
Ok, good idea about:
{set_filter "escape" "javascript"}
But, is there any way I could apply that to one file? |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Wed Mar 02, 2011 6:33 pm Post subject: |
|
|
put the block plugin tags at the top/bottom? |
|
Back to top |
|
douglassdavis Smarty Junkie
Joined: 21 Jan 2008 Posts: 541
|
Posted: Wed Mar 02, 2011 6:41 pm Post subject: |
|
|
mohrt wrote: | put the block plugin tags at the top/bottom? |
didn't think about doing it that way.. good idea. |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|