View previous topic :: View next topic |
Author |
Message |
gazoot Smarty Regular
Joined: 20 Feb 2005 Posts: 35
|
Posted: Mon Apr 04, 2005 8:49 am Post subject: Just an escape|truncate reminder |
|
|
This is a quite obvious thing, but in case someone didn't think of it: When escaping input fields, consider adding a |truncate modifier as well, in case someone is sending huge strings trying to mess up the system. Think of the longest string anyone could possibly put in the field, double it to satisfy Murphy and his annoying laws, and you should be ok!
Code: | First name: <input type="text" name="firstname" value="{$smarty.post.firstname|escape|truncate:100:"":true}"> |
|
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Mon Apr 04, 2005 1:45 pm Post subject: |
|
|
Although this works ok, in practice the truncation should be an application-level function, not a display function. If you want form input truncated, that is best done before being assigned to the template. If you want the output truncated purely for a presentational reason (such as an abstract from a paragraph of text), then truncate fits the bill. |
|
Back to top |
|
gazoot Smarty Regular
Joined: 20 Feb 2005 Posts: 35
|
Posted: Mon Apr 04, 2005 3:52 pm Post subject: |
|
|
Yes, it's convenient but you are right. But doesn't that apply to escaping as well? |
|
Back to top |
|
boots Administrator
Joined: 16 Apr 2003 Posts: 5611 Location: Toronto, Canada
|
Posted: Mon Apr 04, 2005 4:09 pm Post subject: |
|
|
Quote: | But doesn't that apply to escaping as well? |
Well, purists might argue that using the $smarty.post/get vars are a bad idea to begin with. After all, user input should be processed by your application, not your template. So in this case I would have to say, "yes". |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Mon Apr 04, 2005 4:19 pm Post subject: |
|
|
In the context of (re)displaying a form, it would probably be OK to pre-escape the form variables since they are always escaped, so long as you remember they are pre-escaped. In the general sense, escapement is a presentation formatting function. For instance, escaping a variable that contains CSS or JAVASCRIPT might not be desirable. I like to pass the raw data and use the escape modifier so I visually keep track of what is escaped in the template.
OTOH, truncating form content is changing the data model, which is something that should be left to the application logic. |
|
Back to top |
|
gazoot Smarty Regular
Joined: 20 Feb 2005 Posts: 35
|
Posted: Mon Apr 04, 2005 4:30 pm Post subject: |
|
|
Quote: | OTOH, truncating form content is changing the data model, which is something that should be left to the application logic. |
How do you mean changing the data model? I find it so convenient to add a modifier to a field in the template, but if you have a very good reason to stop doing that and putting truncate functions in the php code instead, I would like to know about it! |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Mon Apr 04, 2005 4:53 pm Post subject: |
|
|
In the context of (re)submitting a form, the template is changing the data that is going through the form submit cycle with truncate. This could cause problems if the template is erroneously chopping off data that the form is expecting as content. The template should never change the data being submitted. Escaping isn't really considered changing the data model, it is only formatting it so it can be passed back through the form correctly.
In the context of displaying a variable, using modifiers to alter the display of a variable is fine, as this only affects the presentation of the data, not the data itself. |
|
Back to top |
|
|