|
|
Posted by Martin Braun on 09/30/00 11:20
Jochem Maas wrote:
> ERGO a big wall should be put between incoming Request data and the
> designer,
> because allowing the possiblity of doing something nasty with POST/GET/etc
> is just as 'dangerous' (if not more so) than giving a designer the
> possiblity
> of using more complex syntax (especially given that a programmer would
> have to
> write the object _and_ make it available in the template.
I can understand your reasons, but I don't think there are no uses for
GPC... data in templates. For instance, you could select a different
layout by adding a ?layout=printable or something to your URLs, leaving
the design logic to smarty.
However, I was surprised to find that there is no $security_setting
which disables usage of superglobals. surely something like
ALLOW_SUPERGLOBALS can't be that hard to implement?
> also SESSION/ENV/SERVER are for programmers not designers. again MO
Disagree: I use $smarty.server.HTTP_USER_AGENT to make my templates IE
compatible (although I sometimes ask myself why I bother).
But again, it might be an idea to prohibit use of session etc. through
sec settings.
cheers
martin
--
Warum freie Software? Darum: http://www.deshalbfrei.org/
Please use my public PGP key: http://www.mbant.de/mbant-gpg-key
Navigation:
[Reply to this message]
|