| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by Nullabillity 3475 days ago

And then, to avoid XSS, you'd need to replace that by:

    <?php foreach($list as $item) { ?>
        <li><?= htmlentities($item['name']) ?>
    <?php } ?>

Which is, IMO, the main problem with using PHP (or any other from of plain string concatenation) as a templating language. Escaping everything (and security in general) should be the default, not something that you have to opt into at every turn.

2 comments

TeMPOraL 3475 days ago

True, though as you note, this is essentially true of any form of plain string concatenation. Dedicated templating languages tend to fail at this too.

Escaping-as-default helps, but people sometimes forget escaping is a function of output context. For example,

  <script>
    frobnicate("{bar}");
  </script>

is a potential vulnerability if the default escaping mechanism for {bar} is one meant for HTML.

link

gabordemooij 3473 days ago

you can actually 100% separate HTML from server (or client) side logic if you wish to:

http://stampte.com/

link