PHP as a template engine, or recipe for disaster?
Published 2005-04-04 00:00:00
Whenever someone starts saying template engines, there's an equally vocal community that gently suggests that PHP is a great template engine. Well, I think this week that sounded alot like bollocks...
The pear website, while not a masterpiece for PHP code, has however been written by some pretty smart people, and uses (in parts) the concept of PHP as a template engine. Last week however we got a very polite email to the group mentioning that it was possible to do Cross site scripting attacks on some pages.
The root of the issue was that it was outputing variables (either directly from input or indirectly) which had not been escaped correctly for HTML or javascript, so it was possible to make your favourite javascript hacks work through the url..
While the issues with pearweb where not that serious, it did illustrate the problem of simple PHP templating against more complex engines like Flexy.
When I wrote Flexy, I'd been doing webdev for quite a while, and realized that like everyone else, I make mistakes (some may say like my opinions on this blog). So to some degree, I tend to prefer my applications to protect me from myself, while at the same time allow me to deliberatly break things.
One of the more unusual features of Flexy, is that all tags eg. {stuffThatOutputsVariables} or the method calls are by default html escaped. (unless you explicitly add the :h modifier). Not only this, these tags within javascript blocks, just dont work. You are forced to use the <flexy:tojavascript tags to send variables to the javascript code, again, reducing the chances of accidentally letting your friendly hacker have fun with your site..
So while PHP templates have some advantages, in that it lacks the requirement for compiling. That penalty seems a small price to pay for the extra protection.. so Flexy's new catchphrase may be, "Put your condom on, and use a Flexy Template Engine..."
The pear website, while not a masterpiece for PHP code, has however been written by some pretty smart people, and uses (in parts) the concept of PHP as a template engine. Last week however we got a very polite email to the group mentioning that it was possible to do Cross site scripting attacks on some pages.
The root of the issue was that it was outputing variables (either directly from input or indirectly) which had not been escaped correctly for HTML or javascript, so it was possible to make your favourite javascript hacks work through the url..
While the issues with pearweb where not that serious, it did illustrate the problem of simple PHP templating against more complex engines like Flexy.
When I wrote Flexy, I'd been doing webdev for quite a while, and realized that like everyone else, I make mistakes (some may say like my opinions on this blog). So to some degree, I tend to prefer my applications to protect me from myself, while at the same time allow me to deliberatly break things.
One of the more unusual features of Flexy, is that all tags eg. {stuffThatOutputsVariables} or the method calls are by default html escaped. (unless you explicitly add the :h modifier). Not only this, these tags within javascript blocks, just dont work. You are forced to use the <flexy:tojavascript tags to send variables to the javascript code, again, reducing the chances of accidentally letting your friendly hacker have fun with your site..
So while PHP templates have some advantages, in that it lacks the requirement for compiling. That penalty seems a small price to pay for the extra protection.. so Flexy's new catchphrase may be, "Put your condom on, and use a Flexy Template Engine..."
Mentioned By:
phparch.com : php | architect - The PHP Magazine for PHP Professionals (181 referals)
google.com : april (156 referals)
google.com : flexy template (117 referals)
www.php-mag.net : International PHP Magazine - Cutting-Edge Technologies for Web Professionals (114 referals)
www.nexen.net : Nexen.net : Portail francais PHP et MySQL (83 referals)
www.phpdeveloper.org : PHPDeveloper.org: PHP News, Views, and Community... (61 referals)
google.com : php template engine (51 referals)
google.com : flexy template engine (49 referals)
entwickler.com : entwickler.com (44 referals)
www.planet-php.net : Planet PHP (43 referals)
netoffice.sourceforge.net : NetOffice - Forums (41 referals)
www.nexen.net : Nexen.net: Portail PHP et MySQL - PHP comme moteur de template : un dsastre? (37 referals)
php.openstates.org : Best Practices PHP 5 (36 referals)
google.com : flexy templates (33 referals)
www.mikenaberezny.com : MikeNaberezny.com » Symfony Templates and Ruby’s ERb (29 referals)
google.com : PHP templating (25 referals)
www.mikenaberezny.com : Mike Naberezny - Symfony Templates and Ruby’s ERb (24 referals)
google.com : php template (21 referals)
blog.html.it : Template Engine | <edit> - Il blog di HTML.it (21 referals)
google.com : december (20 referals)
phparch.com : php | architect - The PHP Magazine for PHP Professionals (181 referals)
google.com : april (156 referals)
google.com : flexy template (117 referals)
www.php-mag.net : International PHP Magazine - Cutting-Edge Technologies for Web Professionals (114 referals)
www.nexen.net : Nexen.net : Portail francais PHP et MySQL (83 referals)
www.phpdeveloper.org : PHPDeveloper.org: PHP News, Views, and Community... (61 referals)
google.com : php template engine (51 referals)
google.com : flexy template engine (49 referals)
entwickler.com : entwickler.com (44 referals)
www.planet-php.net : Planet PHP (43 referals)
netoffice.sourceforge.net : NetOffice - Forums (41 referals)
www.nexen.net : Nexen.net: Portail PHP et MySQL - PHP comme moteur de template : un dsastre? (37 referals)
php.openstates.org : Best Practices PHP 5 (36 referals)
google.com : flexy templates (33 referals)
www.mikenaberezny.com : MikeNaberezny.com » Symfony Templates and Ruby’s ERb (29 referals)
google.com : PHP templating (25 referals)
www.mikenaberezny.com : Mike Naberezny - Symfony Templates and Ruby’s ERb (24 referals)
google.com : php template (21 referals)
blog.html.it : Template Engine | <edit> - Il blog di HTML.it (21 referals)
google.com : december (20 referals)
Follow us
-
- Roo Builder for Gtk4 moving forward
- Clustered Web Applications - Mysql and File replication
- GitLive - Branching - Merging
- PDO_DataObject Released
- PDO_DataObject is under way
- Mass email Marketing and anti-spam - some of the how-to..
- Hydra - Recruitment done right
- More on syntax checking vala - and a nice video
Blog Latest
-
Twitter - @Roojs