> -----Original Message----- > From: Stefan Walk [mailto:[EMAIL PROTECTED] > Sent: 23 March 2008 11:08 > To: Jared Williams > Cc: 'PHP Internals' > Subject: Re: [PHP-DEV] short_open_tag > > Jared Williams schrieb: > > <ul> > > <? foreach ($items as $item): ?> > > <li><?=htmlspecialchars($item)?></li> > > <? endforeach ?> > > </ul> > > Well, it's the same as the "but i can't validate my php > source with xmllint" folks: You're doing it at the wrong > point. Escaping should happen at the point where you assign > the var as a temlate var (in my small template class: > $tpl->assign('items', $some_data) will escape all "leaves" in > the data $some_data). This way you don't have to type it > everytime, you don't have to read it everytime and - best of > all - you can't forget to do it, so introducing a XSS > vulnerability is much less likely. > > Regards, > Stefan
A lot of people don't use templates, just raw PHP. So having a short tag escaping would decrease XSS vulnerabilities. I don't understand why need to essentially duplicate all the variables just to provide proper escaping. Jared -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
