Do you know where that came from? - is it safe?
Never trust your own code here, that may be safe today, but one day you will make a change to the backend code, and forget it is used at output time.. -> opening the door to XXS attacks..

This is why PHP style templates are just a bad idea.. - unless you copy and paste htmlspecialchars everywhere, in which case, you have to look through the trees to see the bugs…

The output layer should default to escaping code if possible, and make it easy to find where escaping is not done, not the other way round.

That’s without getting into the undocumented madness that smarty and savant use with $object->assign()…

Although I have my own small templating system for Ottoman, but a future product I’m working on would be much easier to program and manage if I used Savant2.

Again that’s for the post.

One thing worth mentioning about templating in PHP is that it’s not about separating PHP code from template files, its about separating business logic from presentation. There is nothing inherently evil about having code in your template files, so long as its code which exists solely to service the presentational aspects of what you are trying to accomplish.

This separation isn’t ever going to be solved entirely by the templating software, it’s something which has to be separated by the developer as part of a conscious design decision.

There is no “endforeach”, while the language looks the same, it is still a custom markup.

With smarty, this:
<img src=”{$image}/t1.jpg”/>

is nicer than:

<img src=”<?php echo $value[’image’]; ?>”>

This isn’t a “smarty is better” comment, but a “why choose one over the other if they are the same?” comment.

I think I have a simpler solution(simpler in syntax). Just a class

Template.class.php
——————–

I use the template engine of my own. the syntax in the template file will be cleaner. simple, yet it fits my neeeds.

< ?PHP class Template { var $path; var $file; var $_vars = array(); function Template() { require_once 'inc/html.php'; } function set($k,$v) { $this->_vars[$k] = $v; } function get($k) { return $this->_vars[$k]; } function parse() { //import vars into this namespace extract($this->_vars); //start buffering output ob_start(); require $this->file; //get the output in buffer $output = ob_get_contents(); //clean buffer ob_end_clean(); return $output; } } ?>

sample.tpl.php
—————

< ?=$body?>

php script to use the template
——————————

< ?PHP $tpl = new Template; $tpl->file = 'sample.tpl.php'; $tpl->set('title', 'Hello'); $tpl->set('body','Hello, world!'); echo $tpl->parse(); ?>

There is no “endforeach”, while the language looks the same, it is still a custom markup.

Actually, have a read of the manual page:

PHP offers an alternative syntax for some of its control structures; namely, if, while, for, foreach, and switch. In each case, the basic form of the alternate syntax is to change the opening brace to a colon (:) and the closing brace to endif;, endwhile;, endfor;, endforeach;, or endswitch;, respectively.

Alternatively you could have looked at the list of PHP parser tokens. Either place lists endforeach as valid PHP.

This is why PHP style templates are just a bad idea.. - unless you copy and paste htmlspecialchars everywhere, in which case, you have to look through the trees to see the bugs…

The output layer should default to escaping code if possible, and make it easy to find where escaping is not done, not the other way round.

That’s without getting into the undocumented madness that smarty and savant use with $object->assign()…

I’m not sure I follow, isn’t having a presentation detail like calls to htmlspecialchars located in the presentation template a good thing? If you have your calls to htmlspecialchars sprinkled throughout your business logic layers how are you going to prevent double escaping?

I tend to work on a Programming By contract method, whereby my templating layer (the view) counts on the fact that it is being passed unescaped data. The templates job is to then format the data provided for presentation, if that presentation language is html then it gets escaped.