-- Ondrej Ivanič <ondrej.iva...@gmail.com> wrote
(on Tuesday, 14 July 2009, 03:47 PM +1000):
> > fixing that...), but I will note: Starting with 2.0, escaping will be
> > the default when retrieving variables from the view object, and you will
> > need to request the raw value explicitly if you need it. This is a
>
> Thats sounds like a ZF version of magic_quotes... How do you want to
> deal with different escaping in javascript, css, html, xml?
Please don't jump the gun on this debate.
The default will be to escape variables using Zend_View's native
escape() method. Another method will be provided for retrieving the raw
value. Finally, we will provide a flag to allow you to toggle the
auto-behavior on and off.
Additionally, Zend_View supports, and has always supported, specifying
your own functionality for escaping values via setEscape(). As we
approach 2.0, we will add the ability to provide a Closure as an
argument to this -- which will allow you to define anything you want as
a callback (right now, it's limited to PHP callbacks only).
Within your view, you, the developer, know your context, so it's up to
you to define the escaping mechanism. We're just going to provide a sane
default for the 80/20 use case.
> View script could be mix of anything i.e:
>
> <?php $this->var = '1/2"' ?>
> <p onclick="alert("<?php echo $this->var; ?>")"><?php echo
> $this->var; ?></p>
>
> <script>
> document.title = "<?php echo $this->var; ?>"
> </script>
>
> and the correct output is:
>
> <p onclick="alert("1\/2\"")">1/2"</p>
> <script>
> document.title = "1\/2\"";
> </script>
>
> For a proper automatic escaping you need an information about context
> which is very hard (impossible) to get now...
>
> html: htmlspecialchars($s, ENT_QUOTES)
> xml: htmlspecialchars(preg_replace('#[\x00-\x08\x0B\x0C\x0E-\x1F]+#',
> '', $s), ENT_QUOTES)
> css: addcslashes($s, "\x00..\x2C./:;<=>?...@[\\]^`{|}~")
> ccs inside html attributes: htmlspecialchars(addcslashes($s,
> "\x00..\x2C./:;<=>?...@[\\]^`{|}~"), ENT_QUOTES)
> javascript: json_encode($s)
> js inside html attributes: htmlspecialchars(json_encode($s), ENT_QUOTES);
>
> --
> Ondrej Ivanic
> (ondrej.iva...@gmail.com)
>
--
Matthew Weier O'Phinney
Project Lead | matt...@zend.com
Zend Framework | http://framework.zend.com/
