Minor Tag "m_Get" is used to retrieve any variable from browser (get, post, cookie). This tag has internal parameter named "htmlchars", which applies "htmlspecialchars" function on it's result. This functionality is redundant, since we have "html_escape" parameter, that is processed for each tag, that does the same. I propose to remove "htmlchars" parameter processing.
There is another issue with "m_Get" tag. As security measure we apply "htmlspecialchars" by default on all browser variables, that are used on front-end (this way all type of injections are prevented). In case if developer wan't to output actual variable's value without "htmlspecialchars" function applied to it, then there is no way. I propose to add "no_html_escape" parameter that will do that for "m_Get" tag.
Tag "m_GetConfig" is used to retrieve configuration variable's value by given name. Also "escape" parameter is processed internally, that does the same as global tag parameter "js_escape". So I propose to remove it too.
- mentioned in
-
Wiki Page Loading...