wisskid
commented
1 year ago Excellent point. I guess we should? Maybe ask the community how they feel about this.
Open ampmonteiro opened 1 year ago
wisskid
commented
1 year ago Excellent point. I guess we should? Maybe ask the community how they feel about this.
ampmonteiro
commented
1 year ago Hi,
also even this setting change is not applied in current major version of smarty (V4), i recommend that some pages / areas of the docs of v3 and v4 should be updated with some kind of note / warning of not using or not be on the escape_html in order to help to prevent XSS attacks and use security good practice.
Example of some pages / areas in v4 docs:
Getting started pageIntroduction pageIntroduction pageIntroduction pageIntroduction pageescape pageunescape pageIf it is needed to create different issue for this indication for docs, just write a comment confirm it, for late on i will do that. Thanks.
wisskid
commented
1 year ago @ampmonteiro I agree. And yes, please create a different issue for this, that will be helpful.
Hi,
Since you release new version (v4) and in future versions, make no sense nowadays the option
$smarty->escape_htmlnot be set a true or with$smarty->default_modifiersnot without a this option:['escape:"htmlall"'].Because without at least one of the options activated the library is not avoiding XSS attacks. And since you have a section for designers, since people without php knowledge, will forget escape modifier.
Finally, since smarty is a compiler template engine, i think should have the same behavior of others compiled template engine like this standalone template: Twig and Latte . Or like Blade template ( with laravel) .
Thank you.