| Richard Wallace 2004-08-12, 8:59 pm |
| Sorry, I forgot to do "Reply All" and just did plain old reply. Sending
back to the list now.
boots wrote:
>b>FYI: Strictly, this isn't necessary as you can use PHP functions as
>b>modifiers and this one is wrapping the PHP function 1:1.
>
>rw> That's probably a good thing, IMO. For example, the whole point of
>
>rw> using a template language is to seaparate application logic and
>rw> presentation logic. If you allow a template designer to use
>rw> straight
>
>rw> PHP in the templates, they could mess things up significantly. For
>
>rw> instance, they could make a call to a database and do some updates
>rw> that they're not supposed to or something like that.
>
>rw> My point is that I prefer to turn off the ability to put PHP in
>rw> templates for security and safety. For that reason providing
>rw> wrappers for standard PHP formatting functions is a good thing,
>rw> IMO.
>
>I completely agree with this point-of-view; however, to achieve it, you
>have to first turn on Smarty's security, otherwise PHP functions are
>indeed exposed as a default. You know this, of course.
>
>You may not know that Smarty allows you to whitelist PHP functions when
>its security is turned. In this way, you can choose to expose only
>those "safe" functions that you want your designers to access. This
>implies that *merely* wrapping a function that can be more easily
>whitelisted seems superfluous and results in extra maintenance,
>documentation, etc.
>
>
You are correct, I did not know that you could do that. Seems like that
could be quite a bit of extra overhead during runtime, though. Might be
more efficient to just wrap the language functions that only deal with
formatting. Maybe just give them a wrapper for sprintf() and tell them
to have fun =).
Rich
|