Note: I’m using Zend Framework, but I think most of this applies to PHP coding in general.

I’m trying to choose a strategy for writing views scripts, possibly with the help of a templating engine. Motivations: clarity and security. I’m just not happy with writing .phtml scripts. This syntax is awfully verbose to do the most often needed thing – outputting a variable:

<?php echo $this->escape($this->myVariable); ?>

In addition to the code being lengthy, IMHO the template author shouldn’t have to remember (and bother) writing an escape call each time he/she wants to output a variable. Forgetting the call will almost definitely result in an XSS vulnerability.

I have two possible solutions for this problem:

Solution 1: A template engine with automatic escaping

I think at least Smarty has an option for automatically escaping html entities when outputting variables. There are points against Smarty, but maybe at least some of them are addressed in the upcoming 3.0 – I haven’t checked yet.

XML based template engines like PHPTAL will also escape any data by default. They might look quite odd for a beginner, though. Maybe still worth trying?

Solution 2: Escape the data in the Model

Of course, the other option would be to escape the needed data already in the Model (or even the controller?). The Model should already know the content-type (mainly plain text or HTML text) of each field, so it would be kind of logical to escape the data there. The view could consider all data as safe HTML. This would allow eg. changing the datatype of a field from plain text to HTML without touching the view script – only by changing the Model.

But then again, it doesn’t feel like good MVC practice. In addition, there are problems with this approach as well:

• sometimes the view only wants to print the first n characters, and we don’t want to end up truncating the data foo & bar as foo &am (having first escaped it as foo & bar)
• maybe the view wants to construct an URL with varName=$varName in the querystring – again, escaping already in the Model would be bad.

(These problems could be addressed by providing two versions of the data, or unescaping in the template. Seems bad to me.)

Ideas? Am I missing something? What do you consider “the best practice”?

PS. This post is about finding a general solution for any user-supplied plain-text data that may contain < or > or any other characters. So, filtering data before saving it to the database isn’t the solution.

Update:

Thanks for all comments so far. I did some more research and will next evaluate Twig and possibly Open Power Template. Both seem interesting: Twig looks very straightforward, but the project is young. On the XML side, OPT’s syntax looks a bit nicer than PHPTAL’s. Both Twig and OPT are quite well documented.