Templates & User Input
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
#112 Templates & User Input
Due to the way the template system works, it is
possible for user-defined data (i.e. data stored in the
database that was originally input from a form) has the
potential to be interpreted by the phplib template system
as a template variable. This has the potential to be
dangerous if secret data is put inside template variables
(not very likely, but it's still a potential problem) - but for
most part it's just downright annoying.
My current work-around involves parsing all user input
variables and replacing "{" and "}" with "{"
and "}" respectively, then parsing back through it
again just before the render (i.e $tpl->p()) and reversing
the process.
