I’m doing some Lithium work again and just wanted to revisit the views for a moment. Most of this is from memory, so please correct any errors.
I love the way that Lithium handles views. By sending variables to the view with the compact() function, you can refer to them $directly instead of something like $this->variable.
What’s also nice is that regardless of your php.ini settings and version, you can use the PHP short open tags. If I remember correctly, they were deprecated before becoming the default, due to their conflict with outputting xml (<?xml).
Lithium parses the view so you won’t get any errors even if you have the tags disabled. As an added benefit, they automatically escape variables with htmlspecialchars().
What’s really attractive about parsing views is that it makes possible context-sensitive escaping. IMO, frameworks should make this standard. Even the better backend developers are mostly getting this wrong. How do you expect a front-end developer who typically writes the view to get it right? Result? Insecure pages abound.
Hopefully Lithium will perform context-sensitive escaping in the future. If I have time, I hope to contribute to this effort.
What’s the take-home message? In your views, educate yourself on how to escape variables. Depending where the variable is showing, you may need to escape it yourself. To know what method to use, study this OWASP guide: