security bug in PHP-server-1.1

[Jonathan Daugherty]

# why? templates are for output, not for processing...  AND as soon as
# you get the data in your system you should clean it.

Yes, that's true.  But you clean it so output is safe, and so that
passing it through services (i.e., a database) is safe.  There's no
point in cleaning the data until you use it in a dangerous context;
escape content in templates and quote strings that are used to build
SQL.  (The latter is taken care of by PEAR.)  The escaping should be
done in templates because it is only an output detail, not a
processing one.  That's something I clearly didn't do enough of in the
current templates (and error-reporting).

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com