[development] t() placeholder changes in HEAD

Derek Wright drupal at dwwright.net
Sun Aug 20 18:25:06 UTC 2006

On Aug 18, 2006, at 5:39 AM, Morbus Iff wrote:

> I'd like to know the reasoning/discussion behind using the existing  
> % for the least obvious (theme_placeholder) and the new and  
> entirely unknown @ for the most obvious (check_plain).

in case anyone's confused about this, theme_placeholder() calls  
check_plain() for you, so from a security perspective, the 2 are  
equivalent.  the only real difference is '%' (theme_placeholder) will  
wrap your string in <em> whereas '@' (check_plain) won't.

i'm fine with this change to t(), but once again, i must object to  
the rather insane combinations of layers of drupal code that might or  
might not call check_plain() or otherwise sanitize your output for  
you. :(  no wonder it's hard for developers to write secure code,  
correct code.  for the life of me, i can't figure out the reasoning  
behind (and therefore have any intuition about) what functions  
sanitize my output and which ones don't.

theme_* sometimes does
format_* often does
check_* always does
l() and url() do

how are we supposed to keep this stuff straight?  from brute-force  
repetition of reading api.drupal.org, i can kind of remember now how  
do do it right, but it's a waste of time and energy, and the whole  
system is *highly* error prone.  there are probably dozens of places  
that end up sanitizing twice, due to confusion about what what  
function does the cleaning, and people err'ing on the side of "better  
safe than sorry" (for example, see http://drupal.org/node/ 

it's way too late in the dev cycle for this, but i'd cast a large  
vote for a much more coherent way of handling output conversion and  
sanitizing in the next core API.


More information about the development mailing list