#112 Templates & User Input

open
nobody
None
5
2003-02-21
2003-02-21
Thomas Lee
No

Due to the way the template system works, it is
possible for user-defined data (i.e. data stored in the
database that was originally input from a form) has the
potential to be interpreted by the phplib template system
as a template variable. This has the potential to be
dangerous if secret data is put inside template variables
(not very likely, but it's still a potential problem) - but for
most part it's just downright annoying.

My current work-around involves parsing all user input
variables and replacing "{" and "}" with "{"
and "}" respectively, then parsing back through it
again just before the render (i.e $tpl->p()) and reversing
the process.

Discussion