On Jan 23, 2008, at 2:01 PM, Cliff Hirsch wrote:
On 1/23/08 1:54 PM, "John Campbell" <[EMAIL PROTECTED]> wrote:
If there is a separation between the programmer and the template
editor, it presents another problem. Who is responsible for escaping
the data?
I decided that the view/template has to be responsible for escaping.
Imagine you have a controller action for displaying a listing... you
could use the same controller action with different templates to
provide: an html view, an rss feed, a json/xml/etc webservice
result. Some of those will have different requirements for escaping
the data. For our company, the programmers do a good amount of the
templates - at least provide an initial version. We train any other
template editors on escaping.. but usually it's already done for them
in the first draft from the programmers and they only need to shuffle
things around. Of course... there's the issue of the programmers not
remembering to escape things in that first draft of the template. It
would be ideal to do peer review and have some kind of testing via
Selenium or something similar to make sure everything is escaped
properly.
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
