Re: [Phphtmllib-devel] postgresql
Status: Beta
Brought to you by:
hemna
Menu
▾
▴
Re: [Phphtmllib-devel] postgresql
|
From: Culley H. <cu...@fa...> - 2004-03-07 22:46:48
|
>> > ---heh yah. I hear ya. I am going through the process of converting > a home > baked DB object to adodb at my job now. It's a daunting task, but one > that will > pay off in the long run. > The transition from PEAR probably wouldn't be too bad-- I could probably just write up a global find and replace script for object methods and then manually do the one's whose arguments don't match. Someday I will do this. It is on the someday pile. >> > ---thats kewl. I appreciate it. Just give me a heads up when you > make the > changes. I'll be soon updating the cvs repository on sourceforge to > auto email > us when commits are made to the module. > This is ready to go but Sourceforge CVS seems to be on the fritz. Later today I guess. > > I've always been a big fan of OOP, and widgets for html seemed to > make sense > to me at least. > The OO-ness of phphtmllib is one of the primary features I think. Unfortunately the sites I maintain are basically a sequential series of include files so I can't use the PageWidget. I am just rendering html fragments... Someday I would like to convert everything to using PageWidgets but I get a little dizzy just thinking about all that work. >> > ---you almost have it. action_button() returns a button object that > is placed > in the actionbar. So the proper way to do it is to override the > actionbar_cell() method and return the buttons you want to see there > Very slick! This widget is the crown jewel of phl... Hey so I was just testing a form for cross site scripting vulnerability and this code executed in into the confirm page: <script> alert(location.href); </script> Single and double quotes are escaped so that solves a lot of problems but I'm sure there is a way to do something malicious without using quotes. So this could be handled in the form code but what about tackling it higher up, say in HTMLTagClass? If there were a flag method like HTMLTagClass::scrub_data(bool $scrub = true) that, when set would scrub the output of any data rendered in any html tag. Writing secure pages would be much easier if this could somehow be called once for a container and recursively effect all contained objects. Or better yet something like: HTMLTagClass::register_callback_scrubber() so you could set exactly what you want done to the data. Sometimes strip_tags() other times nl2br(), myFunc() etc. Maybe this isn't practical... Just brainstorming. :) culley |
