Smarty Forum Index Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.

automatic escaping feature?

 
Post new topic   Reply to topic    Smarty Forum Index -> Smarty 3
View previous topic :: View next topic  
Author Message
douglassdavis
Smarty Junkie


Joined: 21 Jan 2008
Posts: 541

PostPosted: Sun Oct 11, 2009 1:55 pm    Post subject: automatic escaping feature? Reply with quote

This article:
http://fabien.potencier.org/article/34/templating-engines-in-php

Posted here:
http://www.smarty.net/forums/viewtopic.php?t=16136&highlight=

mentioned automatic output escaping and how smarty 3 will have it. Interesting idea, but it sounds a little like magic quotes to me in that it's supposed to solve all of your problems, but then ends up creating problems.

Maybe I don't really understand it, and forgive me if this has already been discussed, but if it means that everything will automagically be escaped then some issues I see with this are:
1. If it's globally set to on, old scripts will no longer output correctly because we use |escape already on most of the outputs (and maybe sometimes htmlspecialchars).
2. If it's globally set to off on a specific site, one team member will be creating templates as if it is set to on (or vice versa), and then, suprise! Injection attack or it doesn't output correctly.
3. What if I am using it in Javascript, a URL, mail and want to escape via the appropriate way for that type of output.
4. What if I am outputting HTML saved in the DB, and don't want to escape it at all?

Just googling it, I see a lot of complaints/questions about how to get output escaping to work right in symfony.

The only way I can think of is to build something into the language where at the top of the template i can set escaping to on, but then within the tags I can say "escape this way (JS/URL...)" or "don't escape at all."

I suppose the escape filter could be sensitive to the current escape settings. For example, don't do anything if output is already being escaped, for escape:url turn off the auto escape and urlencode, and a new escape mode of "none" can be added. but, that seems a little messy.

Your thoughts?
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany

PostPosted: Sun Oct 11, 2009 8:49 pm    Post subject: Reply with quote

For autoescaping you can register a variable filter by the register_variablefilter method. It works same way as you register a pre-, post- or outputfilter.

This filter is used on variable output.

The filter usage can be controlled in several ways.

It can be globally enabled by the property $smarty->variable_filter (true by default).

If filtering is globally enabled you can disable it for a single output in the template by
{$foo nofilter}

If filtering is globally disabled you can still use it by enabling it in the template by
{$foo filter}
Back to top
View user's profile Send private message
douglassdavis
Smarty Junkie


Joined: 21 Jan 2008
Posts: 541

PostPosted: Sun Oct 11, 2009 10:36 pm    Post subject: Reply with quote

hmm... so to do a JS escape I would have to

Code:

...
var x="{$some_text|escape:'javascript' nofilter}"
...


When really instead of turning filters off, I do want a filter, I just want a JS filter.

Also, it seems there can only be one variable filter? Just an idea, but would be nice if you could have multiple filters defined like:

Code:

//                  Name   Function to call
//                  -------  ------------
$filters = array('filter_html' => 'my_htmlspecialchars',
                       'filter_url' => 'my_urlencode',
                       ...   );
...
$smarty->register_variablefilter($filters, 'filter_html'); // 2nd optional param is the default one used when user just says 'filter'





maybe there can be a $smarty->set_default_variablefilter function too, in case i don't want to change the set of variable filters, I just want to set the default. and maybe they could be settable one at a time instead of or as well as via an array.


Code:

// the javascript
...
var x="{$some_text filter_js}"
...

<!-- The HTML -->
{$some_text filter}

<!-- Or -->
{$some_text filter_html}



Lastly, I think perhaps it should be possible to change the template setting on a per template file basis, from within the template. I don't want some one screwing up my template because they changed some global setting.

Couple questions:

1. As it stands now, if the user says "filter" and there is no filter enabled, will it give a warning or just skip it?

2. Is there a built in filter or does each user have to define their own? My vote would be some built in ones.


Just something to think about.. Smile Smile Smile Smile


Last edited by douglassdavis on Mon Oct 12, 2009 3:25 pm; edited 1 time in total
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany

PostPosted: Mon Oct 12, 2009 3:21 pm    Post subject: Reply with quote

Some more ideas:

Let us call it in future escape filters and not variable filters.

You can register your own filter functions by registering PHP functions:
$smarty->register_escapefilter('filtername','PHP function name');
You can register any number of custom filters.

Standard modifier plugins can also be used as escape filter.

A default escape filter can be activated with
$smarty->default_escape_filter = 'filtername';
or
$smarty->default_escape_filter = 'modifiername';

$smarty->default_escape_filter = null; disables escaping at script level.

Inside the template you can overide the default filter setting with
{escape filter=filtername}
or
{escape filter=modifiername}

Default filters will be used like a hidden modifer on each output tag.

You can override the default escaping by
{$foo||otherfilter}
The || is the syntax that the filter shall be replaced (in contrast to modifiers which will be chained)

You can still use modifiers with your output as usual. The modifiers run first before the filter.
{$foo|mod1|mod2} will run the two modifiers and then the default filter.
{$foo|mod1|mod2||otherfilter} will run the special filter after the modifiers.

{$foo||save} will disable any filtering for this output.



Comments are wellcome
Back to top
View user's profile Send private message
douglassdavis
Smarty Junkie


Joined: 21 Jan 2008
Posts: 541

PostPosted: Mon Oct 12, 2009 5:14 pm    Post subject: Reply with quote

I like the ideas of how to specify filters and default filters.

Some comments/questions:

In your scenario, would {$foo||save} act like 'nofilter'? If so, I like the word "nofilter," which could either be a keyword or a built in filter that does no modification. "Save" sounds like it has something to do with saving to disk.


Questions: With

{escape filter=filtername}
or
{escape filter=modifiername}

I suppose if there is a filter and a modifier of the same name, the filter would override the modifier (or vice versa)?


When using modifiers, I'm not sure if/how you could specify a modifier with parameters. I suppose you could use

$smarty->register_escapefilter('filtername',"escape:'js'");
or
{escape filter="escape:'js'"}

But that seems like it might complicate both the implementation of smarty and the syntax you specify the default filters with. Modifiers with parameters also leads to the question of whether filters in general or default filters can have parameters. So, not sure if/when parameters should be allowed or whether allowing modifiers to be filters complicates things.
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany

PostPosted: Mon Oct 12, 2009 5:42 pm    Post subject: Reply with quote

I would try a registered filter first. If it does not exist try a modifier.

The implementation of Parameters should be possible.
Back to top
View user's profile Send private message
douglassdavis
Smarty Junkie


Joined: 21 Jan 2008
Posts: 541

PostPosted: Mon Oct 12, 2009 10:27 pm    Post subject: Reply with quote

U.Tews wrote:
I would try a registered filter first. If it does not exist try a modifier.

The implementation of Parameters should be possible.


cool. Not sure how a default filter would specify a parameter.

Also, the || looks like an or. I suppose that shouldn't be a problem, I can't think of any better characters right now.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Smarty Forum Index -> Smarty 3 All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP