security bug in PHP-server-1.1
Niels Berkers
niels at quotar.com
Tue Apr 10 16:50:45 PDT 2007
Jonathan Daugherty wrote:
> Howdy,
>
> Thanks for taking the time to produce these patches. When I get some
> time, I will definitely do a pass to be sure that output is properly
> escaped. In the mean time, it would be extremely helpful if you can:
>
> - Produce patches using the "diff" command
>
uhmmm... diff? Well i never worked with diff before... but i'll take a
look at it.
> - Modify the templates -- not the PHP code itself -- when escaping
> output. The templates are the correct place for that; the PHP code
> is not.
>
why? templates are for output, not for processing... AND as soon as you
get the data in your system you should clean it. Not just before
presentation. All harm could have been done. Besides I like to fight the
bull by it's horns, not by it's tail.
br,
Niels
More information about the Dev
mailing list