Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

Auto-escape for more security

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Feature Requests
View previous topic :: View next topic  
Author Message
jbeninger
Smarty n00b


Joined: 15 Apr 2006
Posts: 2

PostPosted: Sat Apr 15, 2006 7:18 pm    Post subject: Auto-escape for more security Reply with quote

I'd like to suggest an auto-escape option for smarty. This feature would automatically call htmlspecialchars() on the results of {variables and functions} unless the |noescape modifier appears as the final modifier. This wouldn't be enabled by default, but could prove a very useful feature:

- As lead developer in a team of people with varying backgrounds and skills, I'd rather not look through everyone's code to make sure everything's escaped. If people were forced to explicitely request non-escaped code, it would make the development process more secure.

- It's also a bit easier on the coders, since they don't have to sprinkle |escape throughout their code.



Now before you bring up the problems and tell me why this won't work, I've thought it through and realize this isn't as easy as it sounds. Off the top of my head:

- Many functions return html code, which we certainly do *not* want escaped. Perhaps only variables, expressions, and modifiers - or only variables and expressions - should be auto-escaped.

- It requires a special modifier - "noescape" - which the smarty engine itself would have to be aware of (ie - it wouldn't really be a "modifier" that could be called generically like other modifiers.


Basically, I just wanted to start a discussion on this option, since I believe that it would be a worthwhile feature to have, and would certainly act to improve security.
Back to top
View user's profile Send private message
boots
Administrator


Joined: 16 Apr 2003
Posts: 5611
Location: Toronto, Canada

PostPosted: Sat Apr 15, 2006 7:47 pm    Post subject: Reply with quote

Sounds like you are thinking of some form of this: http://smarty.php.net/manual/en/variable.default.modifiers.php

Also search the forum -- this has been discussed a couple of times.
Back to top
View user's profile Send private message
jbeninger
Smarty n00b


Joined: 15 Apr 2006
Posts: 2

PostPosted: Sun Apr 16, 2006 3:13 pm    Post subject: Dagnabbit Reply with quote

That's exactly the solution I was looking for. I'd checked the forums, but apparently not hard enough.

Thanks a lot.
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Feature Requests All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP