Re: [fw-general] FW: Using 'action' view helper
On Monday 13 July 2009 04:52:56 Sergio Rinaudo wrote: Hi, I want to use the 'action' view helper ( $this-action([..]) ) to widgetize some content of a certain request. My problem is that I get the whole layout, not just the content I need. What shoul I do to render only the content of an action? Thanks You really shouldn't do it like that as action() helper comes with a performance penalty, this' been discussed on this list already. You could make view helpers for widget sort of thing. But, to answer your question, you can set an additional param (say, noLayout: true) in your action() call, check for that param inside the action and, if set, disable the layout. -- Dado
Re: [fw-general] App/Controller.php and ZF 1.8 Bootstrap
As usual Thanks Matthew
Eric Haskins
Matthew Weier O'Phinney-3 wrote:
Is your new controller properly calling the parent in its init() method?
class FooController extends App_Controller
{
public function init()
{
parent::init();
// do some more...
}
}
If not, that would account for $_flashMessenger being a non-object on
that line, as it would not have been initialized...
--
Matthew Weier O'Phinney
Project Lead| matt...@zend.com
Zend Framework | http://framework.zend.com/
--
View this message in context:
http://www.nabble.com/App-Controller.php-and-ZF-1.8-Bootstrap-tp24455220p24456908.html
Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] FW: Using 'action' view helper
Please reply to the list. On Monday 13 July 2009 08:22:15 Sergio Rinaudo wrote: Hi, thank for your answer. I've already tried to use a parameter to disable the layout, but using this method also the main layout will be disabled. Can you paste your code here, somebody will surely be able to figure it out. :) Do you know where can I see the widget view helper that you are talking about? Does it bring performance issue? There isn't really an example, but let me explain: if you have a need for the same kind of view logic in multiple places (an, by what you're trying to do, you have), a view helper to extract the logic is a good approach. Basically, a very rough example: /controller/action1: $this-content = $model-getMyWidgetStuff(); $this-sidebar = $model-getMyOtherStuff(); (now in view): ?php echo $this-contentRender($this-content); ? ?php echo $this-widgetRender($this-sidebar); ? /controller/action2: // notice different model calls (different data being displayed) $this-content = $model-getMyNewStuff(); $this-sidebar = $model-getMyWidgetStuff(); (now in view): ?php echo $this-contentRender($this-content); ? ?php echo $this-widgetRender($this-sidebar); ? You create an abstract enough view helper (or helpers) and bind data to them inside the controller. Thanks Sergio Rinaudo From: d...@krizevci.info To: fw-general@lists.zend.com Date: Mon, 13 Jul 2009 09:17:44 +0200 Subject: Re: [fw-general] FW: Using 'action' view helper On Monday 13 July 2009 04:52:56 Sergio Rinaudo wrote: Hi, I want to use the 'action' view helper ( $this-action([..]) ) to widgetize some content of a certain request. My problem is that I get the whole layout, not just the content I need. What shoul I do to render only the content of an action? Thanks You really shouldn't do it like that as action() helper comes with a performance penalty, this' been discussed on this list already. You could make view helpers for widget sort of thing. But, to answer your question, you can set an additional param (say, noLayout: true) in your action() call, check for that param inside the action and, if set, disable the layout. -- Dado _ Naviga al sicuro, usa Windows Live Messenger! http://messenger.it/home_sicurezza.aspx -- Dado
FW: [fw-general] FW: Using 'action' view helper
Hi, thank for your answer. I've already tried to use a parameter to disable the layout, but using this method also the main layout will be disabled. Do you know where can I see the widget view helper that you are talking about? Does it bring performance issue? Thanks Sergio Rinaudo From: d...@krizevci.info To: fw-general@lists.zend.com Date: Mon, 13 Jul 2009 09:17:44 +0200 Subject: Re: [fw-general] FW: Using 'action' view helper On Monday 13 July 2009 04:52:56 Sergio Rinaudo wrote: Hi, I want to use the 'action' view helper ( $this-action([..]) ) to widgetize some content of a certain request. My problem is that I get the whole layout, not just the content I need. What shoul I do to render only the content of an action? Thanks You really shouldn't do it like that as action() helper comes with a performance penalty, this' been discussed on this list already. You could make view helpers for widget sort of thing. But, to answer your question, you can set an additional param (say, noLayout: true) in your action() call, check for that param inside the action and, if set, disable the layout. -- Dado Vesti Messenger come più ti piace. Scarica la nuova Raccolta scene! _ Naviga più semplice, più veloce e più sicuro. Scarica Internet Explorer 8 per MSN! http://cid-16be95750dd16d04.skydrive.live.com/self.aspx/le%20PV%20in%20viaggio!/89.JPG
Re: [fw-general] Front Controller Plugin or Action Helper
On Sun, Jul 12, 2009 at 11:20 AM, Rob Allen r...@akrabat.com wrote: On 12 Jul 2009, at 09:45, J DeBord wrote: I can code both of these, but I'm not sure what the correct method is. For recording hits to a website, which would you typically use? For checking if a Stay logged in cookie is set and logging the user in, which would you use? Hi, An FC plugin runs on every request and is generally for global operations. An action helper can optionally utilise hooks that run every request or can contain methods that are called on demand by the controller actions that require them. There's obviously some overlap between an action helper using hooks and an FC plugin. For both your examples, I personally would use a FC plugin for the stay logged in. I would use an action helper for recording hits as its likely that you may want to store additional info set by the controller action. Thanks. That makes sense. So if I want to either create a default identity for a user OR create an actual identity based on the Stay Logged In cookie, which hook should I use? routeStartup() maybe?
[fw-general] Multiple form elements rendered together
I have two selects: fieldName and sortOrder, I'd like to render them like
div class=field
label for=fieldNameSort by/label
select id=fieldName name=fieldName(...)/select
select id=sortOrder name=sortOrder
optionASC/option
optionDESC/option
/select
/div
and without using the view script for the form (this part is really important,
if it wasn't, this wouldn't warrant a question here :) )
So, the question is: how would you go about it? My first idea is to write a
decorator called ViewHelpers which would take element names to render, in this
case I'd set it to fieldName like this:
$fieldName-setDecorators(array(
'Label',
'ViewHelper',
array('ViewHelpers, array('elements' = array('sortOrder'))),
// rest of it
));
Do you see any obvious flaws in this plan?
--
Dado
[fw-general] Zend_Db_Table: Having one single class for intersection tables
Hello all, my application is composed of a lot of several modules. Each module corresponds to a table in the database. Basically each module can be linked to every other module in many to many relationship. This way when defining the tables in the Zend Framework, everytime I add the definition class of a new module, i need to add a definition class of each intersection tables as well. Let's say I have four modules: M1, M2, M3, M4... for each of them I need to have 3 intersection tables ie a total of 12 tables. I am looking for a way to have one generic class for defining these intersection tables. Has anyone any clue on how to achieve this? Thank you very much for your answers! -- View this message in context: http://www.nabble.com/Zend_Db_Table%3A-Having-one-single-class-for-intersection-tables-tp24459018p24459018.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] XSS Prevention with Zend Framework
-- howard chen howac...@gmail.com wrote (on Monday, 13 July 2009, 09:32 PM +0800): Back to the Mar 2008, some guy posted : http://framework.zend.com/wiki/display/ZFDEV/Cross+Site+Scripting+Prevention+for+PHP Any update on it? Is it possible to do XSS filtering with Zend Framework now? Zend_View::escape() has existed since the very first incarnations, and is recommended throughout the Zend_View manual pages as the appropriate way to sanitize user output: ?php echo $this-escape($this-foo) ? Unfortunately, I can't get to the wiki page currently (I'm working on fixing that...), but I will note: Starting with 2.0, escaping will be the default when retrieving variables from the view object, and you will need to request the raw value explicitly if you need it. This is a better approach, security-wise. Regardless, though XSS prevention has been baked in from the start. -- Matthew Weier O'Phinney Project Lead| matt...@zend.com Zend Framework | http://framework.zend.com/
Re: [fw-general] CLA Approval Process
-- Nick Pack n...@nickpack.com wrote (on Monday, 13 July 2009, 02:41 PM +0100): Apologies if this is the wrong place to ask, I am posting this here because I see a lot from the 'main' of the frameworks developers here. I emailed a signed CLA early last week, and as yet have had no response, just wondering if there is anything else I need to do, and whether or not I should recieve some form of confirmation. We have somebody in-office who typically processes them each Monday. However, it sometimes takes longer due to the other duties they have -- but not much longer. -- Matthew Weier O'Phinney Project Lead| matt...@zend.com Zend Framework | http://framework.zend.com/
Re: [fw-general] Multiple form elements rendered together
On Monday 13 July 2009 16:58:03 Matthew Weier O'Phinney wrote:
-- Dalibor Karlović d...@krizevci.info wrote
(on Monday, 13 July 2009, 11:56 AM +0200):
I have two selects: fieldName and sortOrder, I'd like to render them like
div class=field
label for=fieldNameSort by/label
select id=fieldName name=fieldName(...)/select
select id=sortOrder name=sortOrder
optionASC/option
optionDESC/option
/select
/div
and without using the view script for the form (this part is really
important, if it wasn't, this wouldn't warrant a question here :) )
So, the question is: how would you go about it?
I'd use a DisplayGroup, and assign minimal decorators to each of the
elements:
$form-addElement('select', 'fieldName', array(
// ...
'decorators' = array('ViewHelper', 'Label'),
));
$form-addElement('select', 'sortOrder', array(
// ...
'decorators' = array('ViewHelper'),
));
$form-addDisplayGroup(array('fieldName', 'sortOrder'), 'field', array(
'decorators' = array(
'FormElements',
array('HtmlTag', array('tag' = 'div', 'class' = 'field')),
),
));
DOH! I forgot about DisplayGroup, in my mind it was == fieldset. :) Thanks,
Matthew.
--
Dado
Re: [fw-general] Multiple form elements rendered together
-- Dalibor Karlović d...@krizevci.info wrote
(on Monday, 13 July 2009, 07:14 PM +0200):
On Monday 13 July 2009 16:58:03 Matthew Weier O'Phinney wrote:
-- Dalibor Karlović d...@krizevci.info wrote
(on Monday, 13 July 2009, 11:56 AM +0200):
I have two selects: fieldName and sortOrder, I'd like to render them like
div class=field
label for=fieldNameSort by/label
select id=fieldName name=fieldName(...)/select
select id=sortOrder name=sortOrder
optionASC/option
optionDESC/option
/select
/div
and without using the view script for the form (this part is really
important, if it wasn't, this wouldn't warrant a question here :) )
So, the question is: how would you go about it?
I'd use a DisplayGroup, and assign minimal decorators to each of the
elements:
$form-addElement('select', 'fieldName', array(
// ...
'decorators' = array('ViewHelper', 'Label'),
));
$form-addElement('select', 'sortOrder', array(
// ...
'decorators' = array('ViewHelper'),
));
$form-addDisplayGroup(array('fieldName', 'sortOrder'), 'field', array(
'decorators' = array(
'FormElements',
array('HtmlTag', array('tag' = 'div', 'class' = 'field')),
),
));
DOH! I forgot about DisplayGroup, in my mind it was == fieldset. :) Thanks,
Matthew.
By default, it *does* render within fieldsets. But that's one of the
features of Zend_Form -- you can always override the defaults. :)
--
Matthew Weier O'Phinney
Project Lead| matt...@zend.com
Zend Framework | http://framework.zend.com/
Re: [fw-general] Zend_Form_Element_Captcha + Custom Decorator
I'm also attempting a custom decorator for captcha elements and found this
thread. When finally rendered, I would like to have this:
div id=custom_id class=custom_class
label id=custom_id_label for=custom_id_text
class=custom_class_label!-- label text --/label
p id=custom_id_description class=custom_class_description!--
description text --/p
ul id=custom_id_errors class=custom_class_errors!-- any error
messages --/ul
pre id=custom_id_captcha class=custom_class_captcha!-- captcha
challenge --/pre
input type=hidden name=captcha[id] value={captcha key}
id=custom_id_key /
input type=text name=captcha[text] value= id=custom_id_text
class=custom_class_text /
/div
I've been able to accomplish this with other form elements, but I'm having
difficulty with the captcha rendering (probably due to the Captcha_Word
class?). I either get two captchas, one rendered before the div, or the
additional hidden text inputs are rendered after the div. Could I have
some help in understanding how to store the captcha elements in a variable
as text before the actual rendering of them?
For instance, when I use:
$captcha = $element-getCaptcha()-render($view, $element);
all of the captcha elements are rendered before the div and then just the
prechallenge/pre is rendered inside the div.
Also, some direction about defining the custom id class attributes for the
elements as described above would be much appreciated.
TIA!
Matthew Weier O'Phinney-3 wrote:
-- Matthew Lurz mlur...@gmail.com wrote
(on Sunday, 31 August 2008, 04:42 AM -0700):
I'm having some difficulty understanding how to implement a custom
decorator
for a Captcha element. The manual states:
The decorator used is determined by querying the captcha adapter. By
default, the Captcha decorator is used, but an adapter may specify a
different one via its getDecorator() method.
Since all forms and elements in the application I'm working with require
custom markup I call loadDefaultDecorators in the custom form and element
classes. Unfortunately this doesn't seem to work with the Captcha
element. I
can understand why this wouldn't work to some extent but don't understand
how to correctly implement a custom decorator. In a nutshell, I simply
need
to remove the DtDd wrapper with and HtmlTag.
The default decorators for Captcha elements are:
* Errors
* HtmlTag (dd)
* Label (with dt tag)
When render() occurs, it shifts on the captcha decorator to the top of
the stack. So, simply call setDecorators as usual, but without a
ViewHelper decorator, and you'll be all set.
--
Matthew Weier O'Phinney
Software Architect | matt...@zend.com
Zend Framework | http://framework.zend.com/
--
View this message in context:
http://www.nabble.com/Zend_Form_Element_Captcha-%2B-Custom-Decorator-tp19241501p24466277.html
Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Possible bug in Zend_Test_PHPUnit??
MATTHEW:No, actually. When you set it as you did in preDispatch(), there is
no
check until postDispatch() to see if a redirect occurred. This should
likely be changed; care to file an issue in the tracker?
ME: I had a similar problem, setting a redirect in the preDispatch() w/ the
same code you used in your login tutorial. I thought I'd get around the
issues by moving the code to a private method:
private function _redirectLoggedInUsers()
{
//redirect the following actions to the homepage
if(Zend_Auth::getInstance()-hasIdentity()) {
switch($this-getRequest()-getActionName()) {
case 'index':
case 'login':
case 'forgot':
return $this-_helper-redirector('index',
'index');
}
};
}
and then call that method from the ('index','login','forgot') controllers
respectively. But it behaves the same way as in preDispatch(). Zend_Test
ignores the redirect although it works fine in actual use.
--
View this message in context:
http://www.nabble.com/Possible-bug-in-Zend_Test_PHPUnit---tp21535557p24467170.html
Sent from the Zend Framework mailing list archive at Nabble.com.
[fw-general] Fw: $request-getParams() returns escaped data
Hi Just wanted to check if escaping for $request-getParams() can be turned off e.g. single quote( ' ) is replaced by ( \' ). I have tried it before calling any other methods but still the same, is there any helper or plugin I need to set options for? If it is a default, why I should create a filter to strip slashes while printing values where as if i can not put them as the first place. Thanks
Re: [fw-general] Fw: $request-getParams() returns escaped data
This isn't Zend Framework -- it sounds like you have magic quotes turned on. These should be disabled[1] when using Zend Framework. [1] http://us3.php.net/manual/en/security.magicquotes.disabling.php On Mon, Jul 13, 2009 at 3:44 PM, Muhammad Aliimjob@live.com wrote: Hi Just wanted to check if escaping for $request-getParams() can be turned off e.g. single quote( ' ) is replaced by ( \' ). I have tried it before calling any other methods but still the same, is there any helper or plugin I need to set options for? If it is a default, why I should create a filter to strip slashes while printing values where as if i can not put them as the first place. Thanks -- Bradley Holt bradley.h...@foundline.com
Re: [fw-general] Fw: $request-getParams() returns escaped data
On Mon, Jul 13, 2009 at 10:16 PM, Muhammad Aliimjob@live.com wrote: Hi Bradley Thank a lot for your answer you have saved me hours and injecting work arounds :) if(isset($postValues['title'])) $postValues['title'] = stripslashes($postValues['title']); That is a bad hack. Say you have a slash in it for real. Just get rid off magic quotes, they shouldn't be used anywhere anyway. Till
Re: [fw-general] Fw: $request-getParams() returns escaped data
Hi Till yeah I have removed this line, just wanted to show what i was using before. I have now turned off the magic quotes and all seems good. Thanks again -- From: till klimp...@gmail.com Sent: Monday, July 13, 2009 9:32 PM To: Muhammad Ali imjob@live.com Cc: Bradley Holt bradley.h...@foundline.com; fw-general@lists.zend.com Subject: Re: [fw-general] Fw: $request-getParams() returns escaped data On Mon, Jul 13, 2009 at 10:16 PM, Muhammad Aliimjob@live.com wrote: Hi Bradley Thank a lot for your answer you have saved me hours and injecting work arounds :) if(isset($postValues['title'])) $postValues['title'] = stripslashes($postValues['title']); That is a bad hack. Say you have a slash in it for real. Just get rid off magic quotes, they shouldn't be used anywhere anyway. Till
Re: [fw-general] XSS Prevention with Zend Framework
Hi Howard, The wiki page referred to wasn't all that clear that there are numerous vectors for XSS. The Zend Framework bakes in anti-XSS tactics for a subset of these vectors, but does not cover all of them. Indeed it couldn't possibly do so. When people talk about the XSS filtering in ZF, they are referring to the ability to escape HTML or XML output from Zend_View (which will be enabled by default in 2.0). The ZF also offers a reasonably robust validation and filtering system for forms. Zend_Db additionally has its own inward oriented escaping when dealing with databases. The wiki page refers to something else - the filtering of HTML input to make it safe for output a HTML (a case where Zend_View escaping doesn't apply). For example, perhaps users can submit comments containing HTML elements (you can't escape this or the HTML is lost and displayed literally). Perhaps you are consuming RSS or Atom feeds which contain HTML content (which is pretty much inevitable). These specific cases - where you need to output HTML coming from an external source out of your direct control is not addressed by the framework. The library noted, HTMLPurifier, is an amazing solution in my opinion and one that would be extremely difficult to emulate in the Zend Framework given its complexity (Edward does an amazing job maintaining it). For this specific XSS vector HTMLPurifier has no peer within the ZF. So in short, ZF does assist with XSS prevention - but there are vectors it simply does not address. This is not a failing or weakness but perhaps it is something we should note more clearly in the documentation where it is relevant. Pádraic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com OpenID Europe Foundation Irish Representative From: howard chen howac...@gmail.com To: Zend Framework General fw-general@lists.zend.com Sent: Monday, July 13, 2009 2:32:38 PM Subject: [fw-general] XSS Prevention with Zend Framework Back to the Mar 2008, some guy posted : http://framework.zend.com/wiki/display/ZFDEV/Cross+Site+Scripting+Prevention+for+PHP Any update on it? Is it possible to do XSS filtering with Zend Framework now? Thanks.
Re: [fw-general] Zend_Db_Table: Having one single class for intersection tables
This is difficult in the current iteration of Zend_Db_Table since Zend_Db_Table's only use case requires each table name to implemented as a class that extends Zend_Db_Table. In ZF 1.9, I have implemented a feature where Zend_Db_Table can be used as a concrete instance. When this drops, you'll be able to configure your tables in a deinfition and expect them to work without extending Zend_Db_Table The code is here: http://framework.zend.com/svn/framework/standard/branches/user/ralph/ZendDbTable/ and the feature request is here: http://framework.zend.com/issues/browse/ZF-3486 Stay tuned, -ralph pifoux2000 wrote: Hello all, my application is composed of a lot of several modules. Each module corresponds to a table in the database. Basically each module can be linked to every other module in many to many relationship. This way when defining the tables in the Zend Framework, everytime I add the definition class of a new module, i need to add a definition class of each intersection tables as well. Let's say I have four modules: M1, M2, M3, M4... for each of them I need to have 3 intersection tables ie a total of 12 tables. I am looking for a way to have one generic class for defining these intersection tables. Has anyone any clue on how to achieve this? Thank you very much for your answers!
Re: [fw-general] Zend_Form_Element_Captcha + Custom Decorator
Nevermind. I think I worked it out. I was trying too hard, but a custom decorator for the Captcha_Word was still necessary. If you're like me, re-read Matthew's answer a couple times and maybe it'll sink in. :blush: Matthew Weier O'Phinney-3 wrote: -- Matthew Lurz mlur...@gmail.com wrote (on Sunday, 31 August 2008, 04:42 AM -0700): I'm having some difficulty understanding how to implement a custom decorator for a Captcha element. The manual states: The decorator used is determined by querying the captcha adapter. By default, the Captcha decorator is used, but an adapter may specify a different one via its getDecorator() method. Since all forms and elements in the application I'm working with require custom markup I call loadDefaultDecorators in the custom form and element classes. Unfortunately this doesn't seem to work with the Captcha element. I can understand why this wouldn't work to some extent but don't understand how to correctly implement a custom decorator. In a nutshell, I simply need to remove the DtDd wrapper with and HtmlTag. The default decorators for Captcha elements are: * Errors * HtmlTag (dd) * Label (with dt tag) When render() occurs, it shifts on the captcha decorator to the top of the stack. So, simply call setDecorators as usual, but without a ViewHelper decorator, and you'll be all set. -- Matthew Weier O'Phinney Software Architect | matt...@zend.com Zend Framework | http://framework.zend.com/ -- View this message in context: http://www.nabble.com/Zend_Form_Element_Captcha-%2B-Custom-Decorator-tp19241501p24472655.html Sent from the Zend Framework mailing list archive at Nabble.com.
[fw-general] Action_HelperBroker refuses to add path in 1.8.4?
Hi guys,
Have been trying to figure this one out for a while now, have also checked
out the bug tracker and didn't find anything conclusive so thought I'd
solicit advice from the pros.
I've spent part of today migrating my site to the latest and greatest 1.8.4,
and all has been going well except for the integration of my action helpers.
Within my bootstrap I've added the following:
protected function _initActionHelpers()
{
Zend_Controller_Action_HelperBroker::addPath(APPLICATION_PATH .
'/controllers/helpers');
}
(I've confirmed APPLICATION_PATH is indeed pointing to the correct location,
and that _initActionHelpers is indeed executing)
For sake of example here's an action helper I've been using, which has been
saved to my site's /application/controllers/helpers directory:
class Zend_Controller_Action_Helper_Calculator extends
Zend_Controller_Action_Helper_Abstract
{
public function multiply($first, $second)
{
return $first * $second;
}
}
All looking good, right? So I try to call the helper within a controller
action like this:
$calculator = $this-_helper-calculator-multiply(5,4);
Without fail, I receive the following message:
Message: Action Helper by name Calculator not found
I've tried various permutations, such as adding and configuring a helper
prefix, but nothing is working. For kicks I even moved the Calculator helper
into \library\Zend\Controller\Action\Helper and that didn't do the trick.
Surely I'm missing something rather trivial here?
Incidentally I tried this on otherwise working ZF 1.8.4-powered sites on
both Windows XP and Ubuntu, and in both cases the helper cannot be found.
Thanks!
Jason
--
View this message in context:
http://www.nabble.com/Action_HelperBroker-refuses-to-add-path-in-1.8.4--tp24472950p24472950.html
Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Fw: $request-getParams() returns escaped data
-- Muhammad Ali imjob@live.com wrote (on Monday, 13 July 2009, 09:16 PM +0100): An other quick question for the mailing list, does using Zend_Config as Array rather as INI files improves performance, is it worth doing? Using native arrays will of course be faster to parse than INI or XML. That said, it's likely to have negligible effect on your application performance. Profile your application using XDebug or Zend Debugger to find the real bottlenecks. -- From: Bradley Holt bradley.h...@foundline.com Sent: Monday, July 13, 2009 8:53 PM To: Muhammad Ali imjob@live.com Cc: fw-general@lists.zend.com Subject: Re: [fw-general] Fw: $request-getParams() returns escaped data This isn't Zend Framework -- it sounds like you have magic quotes turned on. These should be disabled[1] when using Zend Framework. [1] http://us3.php.net/manual/en/security.magicquotes.disabling.php On Mon, Jul 13, 2009 at 3:44 PM, Muhammad Aliimjob@live.com wrote: Hi Just wanted to check if escaping for $request-getParams() can be turned off e.g. single quote( ' ) is replaced by ( \' ). I have tried it before calling any other methods but still the same, is there any helper or plugin I need to set options for? If it is a default, why I should create a filter to strip slashes while printing values where as if i can not put them as the first place. Thanks -- Bradley Holt bradley.h...@foundline.com -- Matthew Weier O'Phinney Project Lead| matt...@zend.com Zend Framework | http://framework.zend.com/
Re: [fw-general] XSS Prevention with Zend Framework
Hi
fixing that...), but I will note: Starting with 2.0, escaping will be
the default when retrieving variables from the view object, and you will
need to request the raw value explicitly if you need it. This is a
Thats sounds like a ZF version of magic_quotes... How do you want to
deal with different escaping in javascript, css, html, xml? View
script could be mix of anything i.e:
?php $this-var = '1/2' ?
p onclick=alert(quot;?php echo $this-var; ?quot;)?php echo
$this-var; ?/p
script
document.title = ?php echo $this-var; ?
/script
and the correct output is:
p onclick=alert(quot;1\/2\quot;quot;)1/2quot;/p
script
document.title = 1\/2\;
/script
For a proper automatic escaping you need an information about context
which is very hard (impossible) to get now...
html: htmlspecialchars($s, ENT_QUOTES)
xml: htmlspecialchars(preg_replace('#[\x00-\x08\x0B\x0C\x0E-\x1F]+#',
'', $s), ENT_QUOTES)
css: addcslashes($s, \x00..\x2C./:;=?...@[\\]^`{|}~)
ccs inside html attributes: htmlspecialchars(addcslashes($s,
\x00..\x2C./:;=?...@[\\]^`{|}~), ENT_QUOTES)
javascript: json_encode($s)
js inside html attributes: htmlspecialchars(json_encode($s), ENT_QUOTES);
--
Ondrej Ivanic
(ondrej.iva...@gmail.com)
