> Yii 2.0 helps you to write more secure code. It has built-in support to prevent SQL injections, XSS attacks ...
This is just a minor complaint, but it's so pervasive among web frameworks that I must complain yet again.
According to the documentation for Yii 2.0, the recommended way to output a variable to a web page is:
<?= Html::encode($var) ?>
Not the PHP standard:
<?= $var ?>
Because if you do the latter, you will be vulnerable to XSS.
But why does every framework (and many template engines) insist on telling you to call a specific function in the template in order to get XSS protection? HTML escaping should be turned on by default, by whatever means possible.
The simplest template syntax should also be the most secure, not the other way around. Because sooner or later, somebody is going to forget to call that function.
Auto-escaping also saves a lot of clutter in templates, since there are usually only a few places in any given page (usually the content of a post) where HTML content needs to be printed unescaped (but filtered, of course).
Some frameworks escape everything by default and only allow you to print raw HTML if you add a "noescape" flag. This is better, but some of them only do this if you turn on some sort of "autoescape" flag at the top. This is just as bad, since it is insecure by default.
One might point out that not all escaping is the same, since different escaping rules apply in different contexts. But do we really have no way to detect, when parsing and compiling a template, which context we're currently in?
XSS protection in modern template engines should be opt-out, not opt-in. Otherwise they have no right to claim XSS protection as a feature.
Twig, at least, escapes by default. Laravel's Blade templates don't, unless that's changed recently.
But the price you pay for that of course is no longer working directly in PHP but a templating language with its own syntax (for instance, array shorthand in Twig templates [] has worked since I don't know when but only recently has PHP gotten around to supporting it) which has to be parsed, and partially compiled into PHP classes.
Yeah, frameworks that use raw PHP files as views at least have that as an excuse. But the cost of using a simple template engine with good caching support seems to be minimal compared to the benefit of XSS prevention. CodeIgniter, for example, can convert short tags to full PHP tags if short tags are turned off in php.ini. They might as well wrap htmlspecialchars() around every {$var} while they're at it.
Non-PHP frameworks, on the other hand, really have no excuse.
> but only recently has PHP gotten around to supporting it
You're talking about the `[]` short-hand for arrays, right? That was released in version 5.4, in March 2012, I wouldn't really say that's "recent", at least in my opinion.
It is still relatively recent, if you consider how many older PHP installs are out there. I've had to write around this on a few projects, when I found out my client's server had no idea what the array shorthand or namespaces were.
1. Yeah, that's a valid excuse, but only if your framework is written in PHP. So Yii has an excuse, but Django does not.
2. You'll have to escape virtually all the strings that go into the template anyway. So the peformance hit of escaping is almost the same, assuming you don't re-compile the template every single time (which no sane template system does).
This is just a minor complaint, but it's so pervasive among web frameworks that I must complain yet again.
According to the documentation for Yii 2.0, the recommended way to output a variable to a web page is:
Not the PHP standard: Because if you do the latter, you will be vulnerable to XSS.But why does every framework (and many template engines) insist on telling you to call a specific function in the template in order to get XSS protection? HTML escaping should be turned on by default, by whatever means possible.
The simplest template syntax should also be the most secure, not the other way around. Because sooner or later, somebody is going to forget to call that function.
Auto-escaping also saves a lot of clutter in templates, since there are usually only a few places in any given page (usually the content of a post) where HTML content needs to be printed unescaped (but filtered, of course).
Some frameworks escape everything by default and only allow you to print raw HTML if you add a "noescape" flag. This is better, but some of them only do this if you turn on some sort of "autoescape" flag at the top. This is just as bad, since it is insecure by default.
One might point out that not all escaping is the same, since different escaping rules apply in different contexts. But do we really have no way to detect, when parsing and compiling a template, which context we're currently in?
XSS protection in modern template engines should be opt-out, not opt-in. Otherwise they have no right to claim XSS protection as a feature.