[development] more consistency in theme functions and output concepts.

Gerhard Killesreiter gerhard at killesreiter.de
Wed May 10 11:30:35 UTC 2006

Bèr Kessels wrote:
> Op woensdag 10 mei 2006 12:30, schreef Gerhard Killesreiter:
>> I think this is a pretty bad idea. This way every themer has a chance to
>> remove our XSS checks.
> Sounds fair. 
> However, we now do *not* have a central place. Quite some of our 
> checks/filters DO appear in theme functions!

Guess we should fix this, then.

> So I agree that the theme layer might not be the best place, but fact remains 
> that we need a *central* place, not?

It is hard to do that. Actually, there is a way to get rid of XSS once 
and for all: Filter your complete output through filter_admin_xss in 
your theme. :p

> IMO having it "all over the place" is worse then having it in a theme layer 
> where we say "themes are the ones to filter/sanitize all output".

I am very uncomfortable with this. Also, this will add complexity to the 
themes while many people try to remove complexity.

> Too often do I now find that theme_a calls theme_b and that theme_b filters 
> out stuff that theme_a wants to put in. MOre often even do I find that 
> function_x filters code, and makes it a chunk of HTML, while theme_a wants to 
> do something usefull to that chunk and therefore wishes to receive the 
> original data. I tried to address these three issue (security, theme-power 
> and overhead) in one "guideline".

Well, it is certainly high on the power site, but a bit low on security. 
Not sure about the overhead.

>>> * t(): on the same level. Only in the theme level do we output t()ed
>>> strings. This makes it a lot simpler, because you know that functions and
>>> methods pass the original strings along, and that they are only
>>> translated in the VERY END. This should also make testing against strings
>>> a lot easier. I even found a critical sec. issue that opened the "access
>>> control open to the world" because I translated two string similar.
>> I am not too thrilled about that either. Themers might decide to change
>> strings and then we would need theme dependend translations.
> Why would that be? You will not receive any new strings. Its only the place 
> where strings are translated that will change. IMO the "place where the 
> string is injected into the HTML" is by far the best place to translate that 
> string.

I can replace any themed function by anything else so  I sure can just 
change the strings.


More information about the development mailing list