On Aug 18, 2006, at 5:39 AM, Morbus Iff wrote:
I'd like to know the reasoning/discussion behind using the existing % for the least obvious (theme_placeholder) and the new and entirely unknown @ for the most obvious (check_plain).
in case anyone's confused about this, theme_placeholder() calls check_plain() for you, so from a security perspective, the 2 are equivalent. the only real difference is '%' (theme_placeholder) will wrap your string in <em> whereas '@' (check_plain) won't. i'm fine with this change to t(), but once again, i must object to the rather insane combinations of layers of drupal code that might or might not call check_plain() or otherwise sanitize your output for you. :( no wonder it's hard for developers to write secure code, correct code. for the life of me, i can't figure out the reasoning behind (and therefore have any intuition about) what functions sanitize my output and which ones don't. theme_* sometimes does format_* often does check_* always does l() and url() do ... how are we supposed to keep this stuff straight? from brute-force repetition of reading api.drupal.org, i can kind of remember now how do do it right, but it's a waste of time and energy, and the whole system is *highly* error prone. there are probably dozens of places that end up sanitizing twice, due to confusion about what what function does the cleaning, and people err'ing on the side of "better safe than sorry" (for example, see http://drupal.org/node/ 79611#comment-126559). it's way too late in the dev cycle for this, but i'd cast a large vote for a much more coherent way of handling output conversion and sanitizing in the next core API. thanks, -derek