[Phplib-trackers] [ phplib-Bugs-690462 ] Templates & User Input
Brought to you by:
nhruby,
richardarcher
From: SourceForge.net <no...@so...> - 2003-02-21 03:09:12
|
Bugs item #690462, was opened at 2003-02-21 13:17 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=403611&aid=690462&group_id=31885 Category: None Group: None Status: Open Resolution: None Priority: 5 Submitted By: Thomas Lee (krumms) Assigned to: Nobody/Anonymous (nobody) Summary: Templates & User Input Initial Comment: Due to the way the template system works, it is possible for user-defined data (i.e. data stored in the database that was originally input from a form) has the potential to be interpreted by the phplib template system as a template variable. This has the potential to be dangerous if secret data is put inside template variables (not very likely, but it's still a potential problem) - but for most part it's just downright annoying. My current work-around involves parsing all user input variables and replacing "{" and "}" with "{" and "}" respectively, then parsing back through it again just before the render (i.e $tpl->p()) and reversing the process. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=403611&aid=690462&group_id=31885 |