core
core copied to clipboard
fuel
Need more escape functions
Now fuel has only e().
But we need more escape functions to prevent XSS.
For example, Aura has
$this->escape()->html()
$this->escape()->attr()
$this->escape()->css()
$this->escape()->js()
https://github.com/auraphp/Aura.Html#escaping
Zend has
escapeHtml
escapeHtmlAttr
escapeJs
escapeCss
escapeUrl
http://framework.zend.com/manual/2.3/en/modules/zend.escaper.introduction.html
How do you think?
@kenjis, is it still worth having a discussion about this?
Personally, I have never used e() since I always use
'output_filter' => array('Security::htmlentities'),
in my configs, which means Fuel escapes every bit of data by default, and using e() is no longer needed. This config is also the app default. Which is not true for other frameworks like Aura and Zend.
Yes and no.
Personally, I use Twig. So I don't need escaping functions in Fuel. Because Twig has all.
But if we use the Fuel's default view, we still need escaping functions.
Because e() is not enough. It can't escape strings in special parts of HTML. That is in attributes, event handlers, script tags and style tags.
e() is an equivilant htmlentities() in PHP. And htmlentities() is also not enough to prevent XSS. There is a RFC https://wiki.php.net/rfc/escaper. Unfortunately it is still under discussion, though.
Personally, I recommend not use variables at all in these special parts of HTML. But users can use variables in such more danger parts.