Re: [SMARTY] new modifier: number_format

Sorry, I forgot to do "Reply All" and just did plain old reply.  Sending
back to the list now.

boots wrote:

>b>FYI: Strictly, this isn't necessary as you can use PHP functions as
>b>modifiers and this one is wrapping the PHP function 1:1.
>
>rw> That's probably a good thing, IMO.  For example, the whole point of
>
>rw> using a template language is to seaparate application logic and
>rw> presentation logic.  If you allow a template designer to use
>rw> straight
>
>rw> PHP in the templates, they could mess things up significantly.  For
>
>rw> instance, they could make a call to a database and do some updates
>rw> that they're not supposed to or something like that.
>
>rw> My point is that I prefer to turn off the ability to put PHP in
>rw> templates for security and safety.  For that reason providing
>rw> wrappers for standard PHP formatting functions is a good thing,
>rw> IMO.
>
>I completely agree with this point-of-view; however, to achieve it, you
>have to first turn on Smarty's security, otherwise PHP functions are
>indeed exposed as a default. You know this, of course.
>
>You may not know that Smarty allows you to whitelist PHP functions when
>its security is turned. In this way, you can choose to expose only
>those "safe" functions that you want your designers to access. This
>implies that *merely* wrapping a function that can be more easily
>whitelisted seems superfluous and results in extra maintenance,
>documentation, etc.
>
>
You are correct, I did not know that you could do that.  Seems like that
could be quite a bit of extra overhead during runtime, though.  Might be
more efficient to just wrap the language functions that only deal with
formatting.  Maybe just give them a wrapper for sprintf() and tell them
to have fun =).

Rich