PHP - security etc
Tim Sweetman
ti at lemonia.org
Wed Mar 7 21:14:53 GMT 2007
Andy Armstrong wrote:
> On 7 Mar 2007, at 20:35, David Dorward wrote:
>
>> David Cantrell wrote:
>>
>>> Of course, one has to do the same when putting a web page together
>>> using
>>> perl, don't you?
>>
>>
>> Nope :)
>>
>> my $template_toolkit_config = {
>> INCLUDE_PATH => $data_path,
>> STASH => Template::Stash::EscapeHTML->new
>> };
>
>
> So in fact you /do/ have to know about escaping HTML? :)
>
> I think that's the main issue here - regardless of the method they
> should use it just doesn't occur to many PHP developers that they
> need to do anything at all. Granted making HTML escaping the default
> might save them from /some/ problems but it's not a substitute for
> understanding why it's necessary in the first place.
The natural tendency will be to use the default thing, whether from
inexperience, carelessness, or trying to do fifteen other things at
once. If the default thing puts escaping on, then your markup doesn't
work. This is immediately (or almost immediately) evident, and gets fixed.
If the default thing puts escaping off, nothing happens for ages, until
your work is live, and then it gets pwn3d.
Escaping on by default is the right behaviour for templating systems for
web apps.
ti'
More information about the london.pm
mailing list