Re^4: RFC: Templating without a System

Hiding directives in special attributes is a good thing, but that only holds for variable expansion, not for control structures. These are - for any template's native language - best done in what comments are for that language, imho. For HTML, that's ; for PostScript, that's %% at the beginning of a line, and so on.

HTML-escaping is definitely the engines business. Why do you think are cross-site scripting attacks so common? Because everyone eventually forgets to escape something; or is just lazy. But only a vanishing minority of cases ever requires output to be printed unescaped. Good defensive programming sense then demands that escaping should be the default.

No, it's not. While HTML-escaping is necessary and MUST be done, it's not the templating engine's business. Processing templates is about output, and stuff that could lead to cross-site-scripting attacks comes in via input.

If unsafe content makes it's way through a program right to the last stage of processing before outputting a page, or if it produces insecure content from other sources, I'd consider that program to be seriously broken. I'm definitely not condoning forgetfulness or the wrong type of laziness by providing safety nets for lousy acrobats. Rather, I'd give them enough rope to hang themselves three times, and probably a nice explosive fuse rope.

As for Petal and others doing the same tasks over and over, how is that relevant? You don't have to choose to follow their implementation if you follow their language design.

Good point. That's what I'm currently doing, so... delivery postponed ;-)

--shmem

_($_=" "x(1<<5)."?\n".q·/)Oo.  G°\        /
                              /\_¯/(q    /
----------------------------  \__(m.====·.(_("always off the crowd"))."·
");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}

Comment on Re^4: RFC: Templating without a System

Replies are listed 'Best First'.
Re^5: RFC: Templating without a System by Aristotle (Chancellor) on Oct 24, 2006 at 07:41 UTC
If unsafe content makes it’s way through a program right to the last stage of processing before outputting a page, or if it produces insecure content from other sources, I’d consider that program to be seriously broken. That’s backwards. Input isn’t unsafe. If I have a single apostrophe in my name, it shouldn’t break SQL queries. If I put an ampersand in a post title, it shouldn’t break HTML documents. If such breakage occurs, it leads to vectors for SQL injection or cross-site scripting, but that doesn’t mean the input is illegitimate. It’s at the time where the input is interpolated into something else that the problem occurs. And just like it’s the DBD’s business to properly quote values for query execution, so it is the template engine’s business to properly escape strings for insertion into output. Makeshifts last the longest.	[reply]

Replies are listed 'Best First'.

Re^5: RFC: Templating without a System
by Aristotle (Chancellor) on Oct 24, 2006 at 07:41 UTC

If unsafe content makes it’s way through a program right to the last stage of processing before outputting a page, or if it produces insecure content from other sources, I’d consider that program to be seriously broken.

That’s backwards. Input isn’t unsafe. If I have a single apostrophe in my name, it shouldn’t break SQL queries. If I put an ampersand in a post title, it shouldn’t break HTML documents. If such breakage occurs, it leads to vectors for SQL injection or cross-site scripting, but that doesn’t mean the input is illegitimate. It’s at the time where the input is interpolated into something else that the problem occurs. And just like it’s the DBD’s business to properly quote values for query execution, so it is the template engine’s business to properly escape strings for insertion into output.

Makeshifts last the longest.

[reply]