midcom.helper.xsspreventer
-
Eero af Heurlin
midcom.helper.xsspreventer
Wed April 16 2008 06:35:57 UTCHi,
Since MidCOM3 DM does not use quickform (reasons are many) and since in some places even in MidCOM 2.8 we use hand-crafted forms me and Tero made a little helper to escape user submitted values that you might display. In some places considerations were taken individually (like in midcom.helper.search default style) but it's best to have one helper to change when we need to adjust something.
Currently it has two methods
escape_attributewhich can be used to escape an element attribute value like:echo '\n";
Note that this adds quotes around the value, think
escapeshellarg().escape_elementwhich can be used when you have user submitted data as element content like:echo '\n";
This escapes any attempts in the $_POST['bar'] to prematurely close the textarea element it's supposed to be in.
A third escape for just displaying user submitted content as HTML is in the plans, but in most cases such would go through DM2 save routines and in case of correctly configured datatype through htmlpurifier so it's not as urgent.
/Rambo
-
Reply
-
Report abuse
-
Re: [midgard-dev] midcom.helper.xsspreventer
Wed April 16 2008 13:25:02 UTC-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Eero af Heurlin wrote:
> Hi,
>
> Since MidCOM3 DM does not use quickform (reasons are many) and since in some places even in MidCOM 2.8 we use hand-crafted forms me and Tero made a little helper to escape user submitted values that you might display. In some places considerations were taken individually (like in midcom.helper.search default style) but it's best to have one helper to change when we need to adjust something.
>
> Currently it has two methods
>
>
> 1. `escape_attribute` which can be used to escape an element attribute value like:
>
> echo '<input name="foo" value=' . midcom_helper_xsspreventer::escape_attribute($_POST['foo']) . " />\n";
>
> Note that this adds quotes around the value, think `escapeshellarg()`.
>
> 2. `escape_element` which can be used when you have user submitted data as element content like:
>
> echo '<textarea name="bar">' . midcom_helper_xsspreventer::escape_element('textarea', $_POST['bar']) . "</textarea>\n";
>
> This escapes any attempts in the $_POST['bar'] to prematurely close the textarea element it's supposed to be in.
>
> A third escape for just displaying user submitted content as HTML is in the plans, but in most cases such would go through DM2 save routines and in case of correctly configured datatype through htmlpurifier so it's not as urgent.
Hi, I think this is a very good idea. I just got one suggestion
regarding the naming. We should try to have a core sett of style helpers
that will be used a lot and that may be kept in a separate namespace
that is short and easy to reach.
I suggest: mStyle. So:
mStyle::escape_element() etc. Also we should look through some of the
functions in midcom/helpers/misc.php and see what others should be
placed there.
There are two reasons for this:
a) Save some typing to make the code more readable.
b) Create a minimum API that is easy to find (i.e. not scattered in x
different modules) and easy to use.
What do you think?
Kind regards,
Tarjei
> /Rambo
> _______________________________________________
> dev mailing list
> dev@lists.midgard-project.org
> http://lists.midgard-project.org/mailman/listinfo/dev
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIBfzIYVRKCnSvzfIRAuVOAJwIuLYfSZwOaBzD8mYTy/ORFITq9QCfXXIr
SB/MmFSb19QvN/a8Tm8F/yQ=
=GH9c
-----END PGP SIGNATURE-----
_______________________________________________
dev mailing list
dev@lists.midgard-project.org
http://lists.midgard-project.org/mailman/listinfo/dev-
Reply
-
Report abuse
-