Auto escape all variables in View

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Auto escape all variables in View

takeshin
Has anyone here already created custom View,
which escapes all variables by default?

Willing to share?

--
regards
takeshin
Reply | Threaded
Open this post in threaded view
|

Re: Auto escape all variables in View

David Mintz


On Thu, Oct 8, 2009 at 12:02 PM, admirau <[hidden email]> wrote:

Has anyone here already created custom View,
which escapes all variables by default?

Willing to share?


Or imagine a Zend_View whose constructor took an option autoEscape => true, true by default. Hmmm



--
David Mintz
http://davidmintz.org/

The subtle source is clear and bright
The tributary streams flow through the darkness
Reply | Threaded
Open this post in threaded view
|

Re: Auto escape all variables in View

keith Pope-4
2009/10/8 David Mintz <[hidden email]>:
>
>
> On Thu, Oct 8, 2009 at 12:02 PM, admirau <[hidden email]> wrote:
>>
>> Has anyone here already created custom View,
>> which escapes all variables by default?
>>
>> Willing to share?

I haven't but I think this is planned for 2.0...

>>
>
> Or imagine a Zend_View whose constructor took an option autoEscape => true,
> true by default. Hmmm
>
>
>
> --
> David Mintz
> http://davidmintz.org/
>
> The subtle source is clear and bright
> The tributary streams flow through the darkness
>
Reply | Threaded
Open this post in threaded view
|

Re: Auto escape all variables in View

Pieter Vogelaar
This post has NOT been accepted by the mailing list yet.
In reply to this post by takeshin
Over at the PiKe project we build a custom stream wrapper that automatically escapes all view variables to be safe by default against XSS, with a MINIMAL performance hit! You can still get the RAW value with:

<?=~ $variable ?>

Notice the "~" character. Checkout http://code.google.com/p/php-pike/wiki/Pike_View_Stream