[development] more consistency in theme functions and output concepts.

Gerhard Killesreiter gerhard at killesreiter.de
Wed May 10 10:30:48 UTC 2006

Bèr Kessels wrote:
> Hi there,
> For my helpers module I am trying to be ACAP (as consistent as possible). And 
> some things I have (not yet) decided on, but which IMO could be very usefull 
> for the codyng guidelines and core:
> * I filter ONLY in the theme function. That way you can be assured that theme 
> functions get the raw data. Having ONE place, and one way where/how we filter 
> makes it easier to look for sec. issues. 'My rule' is: As soon as we make an 
> HTML string from something, we filter it. Anything that gets HTML 
> programatically is therefore filtered.

I think this is a pretty bad idea. This way every themer has a chance to 
remove our XSS checks.

> * t(): on the same level. Only in the theme level do we output t()ed strings. 
> This makes it a lot simpler, because you know that functions and methods pass 
> the original strings along, and that they are only translated in the VERY 
> END. This should also make testing against strings a lot easier. I even found 
> a critical sec. issue that opened the "access control open to the world" 
> because I translated two string similar. 

I am not too thrilled about that either. Themers might decide to change 
strings and then we would need theme dependend translations.


More information about the development mailing list