On 15 Jul 2009, at 03:30, Matthew Weier O'Phinney wrote:
80/20 is a nice rule but not for security. I went through this way
few
years ago and as you mention it was so convenient to don't care in
80%
of cases but the rest was pain in the ass. The setEscape() method
doesn't help too much when you have to mix css/js/html code in a
single phtml file.
Why are you mixing them into a single file? Why not have separate
files
for separate types of code? This simplifies the story for escaping,
allows you to run linters specific to the markup and/or language, and
allows you to factor out things like CSS and JS to your presentation
layer (where, arguably, it belongs -- *not* in your view scripts).
Just an idea/suggestion here, could we have an optional second param
to escape() which if provided would override the default (just for
that usage)?
I see this as helpful when quickly putting together a page and just
wanting to inline the css/js for a sketch or a work in progress -- I
know I'm gonna move it out eventually...
