Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Re^5: RFC: Templating without a System

by Aristotle (Chancellor)
on Oct 24, 2006 at 07:41 UTC ( [id://580207]=note: print w/replies, xml ) Need Help??


in reply to Re^4: RFC: Templating without a System
in thread RFC: Templating without a System

If unsafe content makes it’s way through a program right to the last stage of processing before outputting a page, or if it produces insecure content from other sources, I’d consider that program to be seriously broken.

That’s backwards. Input isn’t unsafe. If I have a single apostrophe in my name, it shouldn’t break SQL queries. If I put an ampersand in a post title, it shouldn’t break HTML documents. If such breakage occurs, it leads to vectors for SQL injection or cross-site scripting, but that doesn’t mean the input is illegitimate. It’s at the time where the input is interpolated into something else that the problem occurs. And just like it’s the DBD’s business to properly quote values for query execution, so it is the template engine’s business to properly escape strings for insertion into output.

Makeshifts last the longest.

In Section Meditations

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://580207]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (7)
As of 2024-04-19 13:03 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found