[nycphp-talk] Short Tags deprecated?
Paul A Houle
paul at devonianfarm.com
Mon Aug 31 10:29:32 EDT 2009
Hans Zaunere wrote:
>
> Yeah something like this could be handy, certainly. I typically push/adapt
> an object into the template which is property overloaded. Then something
> like:
>
> <?=$Object->FirstName?>
>
>
I'm afraid that this is getting us back to magic_quotes_gpc:
because now I might want to write
$first_name=$Object->FirstName;
and then do something with $first_name that isn't writing it into
HTML. magic_quotes_gpc was effective protection against a certain
category of HTML injection faults, but it made it difficult to write
entirely correct code that processes the content of strings. I prefer
the model of "escape at the time of output" rather than preemptive
escaping: particularly these days, where you might be escaping a
variable to be a Javascript string literal instead of an HTML code.
Today people are realizing that HTML/Javascript injection attacks
are difficult to stop (there are lots of clever ways to inject
Javascript that you'd never think of), and some systems are taking
different approaches. ASP.NET, for instance, has an "application
firewall" built in that looks for dangerous inputs in form variables and
that will abort your application if you get fed junk. Although my first
impression is that this is "magic_quotes_gpc all over again", and I've
definitely seen the system block legitimate input, Microsoft has done a
good job of justifying this behavior.
> Outputs correctly escaped (or processed in any other way depending on what
> the overload wants to do) content. Quite handy and has proved effective.
>
> It does seem that it'd be handy to have some type of "stdout" processing
> hook that can be overridden, while providing a shorthand for working in
> templates.
>
It makes some people feel dirty, but you can do this with global
variables, assuming your template system remembers to set them when you
get in or out of a template. My own "php on nails" system has quite a
few functions that behave differently if serving a web page or run from
the command line.
More information about the talk
mailing list