[development] more consistency in theme functions and output
concepts.
Gerhard Killesreiter
gerhard at killesreiter.de
Wed May 10 10:30:48 UTC 2006
Bèr Kessels wrote:
> Hi there,
>
> For my helpers module I am trying to be ACAP (as consistent as possible). And
> some things I have (not yet) decided on, but which IMO could be very usefull
> for the codyng guidelines and core:
>
> * I filter ONLY in the theme function. That way you can be assured that theme
> functions get the raw data. Having ONE place, and one way where/how we filter
> makes it easier to look for sec. issues. 'My rule' is: As soon as we make an
> HTML string from something, we filter it. Anything that gets HTML
> programatically is therefore filtered.
>
I think this is a pretty bad idea. This way every themer has a chance to
remove our XSS checks.
> * t(): on the same level. Only in the theme level do we output t()ed strings.
> This makes it a lot simpler, because you know that functions and methods pass
> the original strings along, and that they are only translated in the VERY
> END. This should also make testing against strings a lot easier. I even found
> a critical sec. issue that opened the "access control open to the world"
> because I translated two string similar.
>
I am not too thrilled about that either. Themers might decide to change
strings and then we would need theme dependend translations.
Cheers,
Gerhard
More information about the development
mailing list