NYCPHP Meetup

NYPHP.org

[nycphp-talk] Templating engines

Rob Marscher rmarscher at beaffinitive.com
Thu Jan 24 02:17:23 EST 2008


On Jan 23, 2008, at 3:56 PM, Cliff Hirsch wrote:
> On 1/23/08 3:44 PM, "John Campbell" <jcampbell1 at gmail.com> wrote:
>> I just discovered smarty has default modifiers:
>> http://www.smarty.net/manual/en/variable.default.modifiers.php
> Smarty does have an override: {$var|smarty:nodefaults} to cover the
> exceptions.
That's right... I remember seeing something similar in another  
templating system and thought it was probably a good idea.  I guess it  
will probably end up escaping more data than it has to... but it might  
save you from user error leading to xss attacks.  I always wondered  
how much of a blip in the radar all the escaping does to the server  
and if it would be worth caching some things in their escaped state.

On Jan 23, 2008, at 5:40 PM, Cliff Hirsch wrote:
> I wonder what the default order is for the default escape -- first  
> or last.

It's got to be first... but I guess I'd have to test to be sure.

On Jan 23, 2008, at 2:50 PM, Cliff Hirsch wrote:
> On 1/23/08 2:33 PM, "Rob Marscher" <rmarscher at beaffinitive.com> wrote:
>> I decided that the view/template has to be responsible for escaping.
> I can't see how it can't be a mix. What if your variable  
> intentionally has markup? Some content may allow, and intentionally  
> have, simple markup like <b>, <ul/li>, <br> etc. Escaping this  
> variable in the template would not be a good thing.
Yeah, I meant that it would be a mix and the template would know to  
not escape (or to unescape with the nodefault modifier in the Smarty  
example above) variables that contain markup.  Probably a good idea to  
employ some type of naming scheme for those variables and make sure  
they are filtered when they coming from user input.





More information about the talk mailing list