|
|
Posted by Jochem Maas on 10/01/97 11:20
Martin Braun wrote:
> Jochem Maas wrote:
>
>>ERGO a big wall should be put between incoming Request data and the
>>designer,
>>because allowing the possiblity of doing something nasty with POST/GET/etc
>>is just as 'dangerous' (if not more so) than giving a designer the
>>possiblity
>>of using more complex syntax (especially given that a programmer would
>>have to
>>write the object _and_ make it available in the template.
>
>
> I can understand your reasons, but I don't think there are no uses for
> GPC... data in templates. For instance, you could select a different
I didn't say there are no uses ... I am pointing out that its inconsistent
when taken next to the arguments for not allowing full object syntax
(for example )in templates (especially static calls & dereferencing in php5)
> layout by adding a ?layout=printable or something to your URLs, leaving
> the design logic to smarty.
>
> However, I was surprised to find that there is no $security_setting
> which disables usage of superglobals. surely something like
> ALLOW_SUPERGLOBALS can't be that hard to implement?
>
>
>>also SESSION/ENV/SERVER are for programmers not designers. again MO
>
>
> Disagree: I use $smarty.server.HTTP_USER_AGENT to make my templates IE
> compatible (although I sometimes ask myself why I bother).
the guys at W3C sigh once more. ;-)
>
> But again, it might be an idea to prohibit use of session etc. through
> sec settings.
>
> cheers
> martin
>
Navigation:
[Reply to this message]
|