Let us talk about escape.....

Discussion corner for Developers of Serendipity.
Post Reply
User avatar
Don Chambers
Regular
Posts: 3638
Joined: Mon Feb 13, 2006 3:40 am
Location: Chicago, IL, USA
Contact:

Let us talk about escape.....

Post by Don Chambers » Thu Jan 22, 2015 2:21 am

I see many instances of entry elements being escaped. For instance - entry url, url title, entry title, category names, etc. Smarty says the possible values are: html (which is the default), htmlall, url, urlpathinfo, quotes, hex, hexentity, javascript, mail.

Can we document a method of when, where, and how to escape? For example, under what circumstances within a s9y smarty tpl would I want to escape a variable? Why should I? Why shouldn't I?

What caught my attention recently was numerous instances where a url is escaped in one smarty template, but not another. Sometimes I see a url title escaped, but other times it is not. The same is sometimes true of a url name (ie, an entry title)... sometimes it is escaped, other times it is not.

So, any input on this would be appreciated!

User avatar
garvinhicking
Core Developer
Posts: 30020
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: Let us talk about escape.....

Post by garvinhicking » Thu Jan 22, 2015 4:07 pm

Hey,

of course the most obvious important things are: Whatever is user input and not meant to be displayed as HTML always needs escaping to prevent abuse. Also, if you are expecting special characters that are in HTML scope "<", ">" etc. escape is needed.

So actually it's easier to ALWAYS use escape and think where you DON'T need it, not the other way round. Because example where you don't need HTML are more rare, like for editor body fields.

htmlall usually is too restrictive because it escapes entities that can easily be left as plaintext. "url" is needed for the places where you put a varable into a URL, "javascript" when you pass a string within a javascript variable, mail for a "mailto"-Link. The others can be ignored I think.

In some places s9y encodes/escapes the output already internally so that might not be needed... if you find places in existing templates you specifically see differing throughout differents ones, please feel free to post them here and we can discuss them on a per-case basis.

HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/

User avatar
Don Chambers
Regular
Posts: 3638
Joined: Mon Feb 13, 2006 3:40 am
Location: Chicago, IL, USA
Contact:

Re: Let us talk about escape.....

Post by Don Chambers » Thu Jan 22, 2015 6:31 pm

Thanks Garvin. I was working on plugin_staticpage_searchresults.tpl last night. I see the link often constructed as this:

Code: Select all

<a href="{$result.permalink|@escape}" title="{$result.pagetitle|@escape}">{$result.headline}</a>
The link "title" is escaped, while the link text itself is not. Do you think we should ALWAYS escape the title and NOT the link text? Should we ALWAYS escape both? Are links (such as entry titles, staticpage titles, category names, etc) escaped internally and therefore not necessary in the template?

Also... should the permalink be escaped as {$result.permalink|escape:'url'} (and not just escape)?

On a related note, in entries.tpl: when an entry has categories, and those categories have icons, the links are often displayed as follows (2k11):

Code: Select all

<a href="{$entry_category.category_link}"><img class="serendipity_entryIcon" title="{$entry_category.category_name|@escape}{$entry_category.category_description|@emptyPrefix}" alt="{$entry_category.category_name|@escape}" src="{$entry_category.category_icon}"></a>
Again, we see category names being escaped, but what is @emptyPrefix? Is that an internal modifier? ... because i cannot find any reference to it in the smarty docs.

User avatar
garvinhicking
Core Developer
Posts: 30020
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: Let us talk about escape.....

Post by garvinhicking » Thu Jan 22, 2015 10:43 pm

Hi!

That's a good example. The permalink is escaped, more for extra security. This link usually would NEVER contain any HTML, so escaping it doesn't actually do something (<> etc. are not allowed in URLs so nobody should/would enter them). So it's more a safety measure if someone entered code there that it wouldn't break out the <a> construct. The headline is NOT escaped, because it should be possible for people to put a <strong> or whatever inside the headline.

So especially for staticpages it should be allowed for editors to place HTML code at many places...
Also... should the permalink be escaped as {$result.permalink|escape:'url'} (and not just escape)?
I'm not sure, I think this could be wrong because it would then translate things like "/" to encoding that would no longer make a valid URL. "url" escaping is more meant for URL parameters that should NOT be interpreted as a URL.

"emptyprefix" is a modifier that adds a ": " to a string, but only if that is not empty. This is to get an output like "Category: This is the descpription!", but if description is empty, it only shows "Category" and not "Category: ". It's a shorthand for using a new "if..." statement to check if a string is empty.

It's a custom modifier we add ourselves in includes/functions_smarty.inc.php.

HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/

User avatar
Don Chambers
Regular
Posts: 3638
Joined: Mon Feb 13, 2006 3:40 am
Location: Chicago, IL, USA
Contact:

Re: Let us talk about escape.....

Post by Don Chambers » Thu Jan 22, 2015 11:04 pm

Great explanation. Thanks!

Post Reply