Always avoid being seen? What for?

Question

Always avoid being seen? What for?

The Zend Framework Guide reports the following:

60.3.1. Output output
One of the most important tasks to perform in a script view is to make sure that the output is escaped correctly; among other things, it helps to avoid cross-site scripting. If you are not using a function, method, or helper that avoids on its own, you should always avoid variables when outputting them.

Why is it always? Why do I need to avoid variables that have not been created or modified by the user?

+3

security escaping view zend-framework

markus Jul 9 '09 at 7:54

source share

7 answers

, -, , . , , . , , , , .

, $this->escape($variableToEscape) .

+4

skb 09 . '09 15:01

- , , , , . .

+2

Justin 09 . '09 14:30

: HTML-, , .

, , :

foo <b>bar</b>

, HTML-, , , HTML. , ( ), , .

, ,

foo & <b>bar</b>

- ; , :

foo &amp; <b>bar</b>

+1

JW. 09 . '09 15:10

, - , HTML. "" , . , "" < bob@bob.com > ". , < bob@bob.com > .

+1

Adam Crume 09 . '09 15:15

, , , XSS. , , , , , , ... , , XSS-, - , (, , - - , - , ), XSS.

.

: MVC , "", . , , , ?

+1

James Cape 17 . '09 11:47

, (, , XML ), .

, / , , , , , , .

0

usoban 09 . '09 8:03

Rob · Accepted Answer · 2009-07-09T15:04:45+0000

. , , - " ", . , ? . -, , ..

, , , HTML, XML, JSON - .

Always avoid being seen? What for?

More articles: