Re: [htmltmpl] option to turn ESCAPE=HTML on by default
Brought to you by:
samtregar
Menu
▾
▴
Re: [htmltmpl] option to turn ESCAPE=HTML on by default
|
From: Roger B. W. <ro...@fi...> - 2005-10-14 15:12:14
|
On Fri, Oct 14, 2005 at 06:49:40PM +0400, Alex Kapranoff wrote: >* Mark Stosberg <ma...@su...> [October 14 2005, 18:37]: >> I'm curious about what other people think about an option to >> turn ESCAPE=HTML on default, to protect against cross script scripting >> practices by default. >All for it. About 10% of my TMPL_VARS are not escaped. "NOESCAPE=html" >looks very confusing. Should probably be "ESCAPE=none". Agreed, and that's a better option - remembering that we have ESCAPE=url as a possible mode as well, and others in extension modules. default_escape_mode would make sense as a parameter name. R |
