Improvements of "m_Get" and "m_GetConfig" tags

0 views
Skip to first unread message

Alexander Obuhovich

unread,
Jan 5, 2010, 6:00:00 AM1/5/10
to In-Portal Development
Tag "m_Get" is used to retrieve any variable from browser (get, post, cookie). This tag has internal parameter named "htmlchars", which applies "htmlspecialchars" function on it's result. This functionality is redundant, since we have "html_escape" parameter, that is processed for each tag, that does the same. I propose to remove "htmlchars" parameter processing.

There is another issue with "m_Get" tag. As security measure we apply "htmlspecialchars" by default on all browser variables, that are used on front-end (this way all type of injections are prevented). In case if developer wan't to output actual variable's value without "htmlspecialchars" function applied to it, then there is no way. I propose to add "no_html_escape" parameter that will do that for "m_Get" tag.

Tag "m_GetConfig" is used to retrieve configuration variable's value by given name. Also "escape" parameter is processed internally, that does the same as global tag parameter "js_escape". So I propose to remove it too.

Task: http://tracker.in-portal.org/view.php?id=530  (0000530: Improvements of "m_Get" and "m_GetConfig" tags)

--
Best Regards,

http://www.in-portal.org
http://www.alex-time.com
main_processor_fix.patch
Reply all
Reply to author
Forward
0 new messages