Hi On Wed, Jul 15, 2009 at 2:39 AM, Matthew Weier O'Phinney<matt...@zend.com> wrote: > > Within your view, you, the developer, know your context, so it's up to > you to define the escaping mechanism. We're just going to provide a sane > default for the 80/20 use case. >
80/20 is a nice rule but not for security. I went through this way few years ago and as you mention it was so convenient to don't care in 80% of cases but the rest was pain in the ass. The setEscape() method doesn't help too much when you have to mix css/js/html code in a single phtml file. I believe that first set of message to this list will ask questions like this: - how to to turn of automatic escaping - why my Javascript doesn't work ... Finally, proposed solution seems to be the best one, with the current Zend_View design, but it's wrong to thing that you rise level of security in your application; the level is still same as a before. -- Ondrej Ivanic (ondrej.iva...@gmail.com)
