Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

Auto-HTML-escaping variables

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Feature Requests
View previous topic :: View next topic  
Author Message
douglassdavis
Smarty Junkie


Joined: 21 Jan 2008
Posts: 541

PostPosted: Wed Mar 02, 2011 6:01 pm    Post subject: Auto-HTML-escaping variables Reply with quote

From http://www.smarty.net/forums/viewtopic.php?t=18926&highlight=

mohrt wrote:
It is easy to selectively HTML-escape template variables with the {$foo|escape} modifier. However, sometimes it is advantageous to have everything assigned to Smarty automatically HTML-escaped to reduce the risks of XSS (cross-site scripting) vulnerabilities.

Smarty currently does not do this out of the box, nor does it offer a flag to enable this, but it is quite trivial to implement with a variable filter. Here is how it is done:

First, somewhere in your code make a function to do the escapement:

Code:
function escFilter($content,$smarty) {
   return htmlspecialchars($content,ENT_QUOTES,UTF-8);
}


Now register the variable filter with Smarty:

Code:
$smarty->registerFilter('variable','escFilter');


Now any variable assigned to Smarty will be HTML escaped:

PHP:
Code:
$smarty->assign('foo','This is <some> content');


Template:
Code:
{$foo}


Output:
Code:
This is &lt;some&gt; content


You can also selectively "unescape" variables by skipping the filter:

Template:
Code:
{$foo}   {* this gets filtered *}
{$foo nofilter}  {* this does not *}


Output:

Code:
This is &lt;some&gt; content
This is <some> content




It would be nice if this was part of the language, and we could use existing filters rather than creating a new function. Also, it would be nice if it only applied to one file (like putting this at the top of the file):

{set_filter 'escape'}

or this, if it is possible:
{set_filter escape:'javascript'}

This is especially good if you sometimes include smarty files that some one else created or from some library, or if you just don't want to change all files to use one escaping strategy. In all of those cases setting a variable filter used for all templates is impractical.


Also, I'm assuming if there is a variable filter set with

Code:

$smarty->registerFilter('variable','escFilter');


and I want to use a javascript escape instead that this would work:

Code:

  {$foo|escape:'javascript' nofilter}


Last edited by douglassdavis on Wed Mar 02, 2011 6:32 pm; edited 1 time in total
Back to top
View user's profile Send private message
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7368
Location: Lincoln Nebraska, USA

PostPosted: Wed Mar 02, 2011 6:08 pm    Post subject: Reply with quote

We do have some ideas in mind to make some of this part of the language. As for:

{set_filter 'escape'}

and

{set_filter escape:'javascript'}

you can implement these things already with custom functions. The first would call $smart->registerFilter() for you. the second you adjust your filter/plugin to handle an additional parameter.

{set_filter "escape" "javascript"}
Back to top
View user's profile Send private message Visit poster's website
douglassdavis
Smarty Junkie


Joined: 21 Jan 2008
Posts: 541

PostPosted: Wed Mar 02, 2011 6:32 pm    Post subject: Reply with quote

mohrt wrote:
We do have some ideas in mind to make some of this part of the language. As for:

{set_filter 'escape'}

and

{set_filter escape:'javascript'}

you can implement these things already with custom functions. The first would call $smart->registerFilter() for you. the second you adjust your filter/plugin to handle an additional parameter.

{set_filter "escape" "javascript"}


Ok, good idea about:

{set_filter "escape" "javascript"}

But, is there any way I could apply that to one file?
Back to top
View user's profile Send private message
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7368
Location: Lincoln Nebraska, USA

PostPosted: Wed Mar 02, 2011 6:33 pm    Post subject: Reply with quote

put the block plugin tags at the top/bottom?
Back to top
View user's profile Send private message Visit poster's website
douglassdavis
Smarty Junkie


Joined: 21 Jan 2008
Posts: 541

PostPosted: Wed Mar 02, 2011 6:41 pm    Post subject: Reply with quote

mohrt wrote:
put the block plugin tags at the top/bottom?


didn't think about doing it that way.. good idea.
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Feature Requests All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP