I wrote a reply to Chris Zend Framework wishlist. He focused on security aspects that by and large the WebBuilder2 framework has already effectively addressed. Since I was only made aware of this post today even though it was posted 3 weeks ago I am publishing it here as well to get some more exposure and more importantly feedback.
In my framework I wouldnt say that I have really focused alot of energy on security. But I did recently add a number of input filters and validators as well as a custom echo function that defaults to the proper escaping based on the output format or that can be asked to specifically escape for a given format. This is all handled by the module base class (you will find the relevant methods towards the bottom).
As for a taint model we simply stick all parameters send to a particular module inside an array and make it available to the module. The author of the module can then apply the defined validation rules. In a similar manner the module author can configure what type of structure is allowed to be passed to the templates. This is again only partially a security feature. The main reason we added this was to ensure that there will be atleast some documentation of the possible values send to each given template. I make use of this in the installer module.
We also have the ability to generate a unique id for a form that can only submitted once. The original idea being to prevent multiple submissions by going back and forth in the browser history. The core controller simply checks if the unique id is contained inside a list of unique id in the given session.
Through the use of LiveUser we also have a quite flexible way of defning how to handle sessions, when to regenerate the ID, when to destroy the entire session. However I am hoping that one of these days we strip out the forced usage of the php sessions from LiveUser.
You can find the framework here:
http://oss.backendmedia.com/WebBuilder2/
Thanks for the links, Lukas. I'm trying to focus on use cases - the primary problem being that echo is so easy and intuitive that anything else is going to seem cumbersome in comparison, I think.
I followed your links and saw your write() method. I assume a proper use case is something like this:
<p>My name is <?php $myobject->write($name, 'html'); ?>.</p>
That's not bad, and other approaches are similar, but I'm hoping there's a better way, as I try to describe here:
http://shiflett.org/archive/168
Another approach I've seen is to provide a method h():
<p>My name is <?php $name->h(); ?>.</p>
(URL encoding would be a separate method.) This is Ning's approach, for example.
There may be no better way. After all, it's up to the developer to decide whether data is supposed to be interpreted by the remote system or not.
In your write() method, you might want to specify the character encoding in your htmlspecialchars() call:
switch($output) {
case 'html':
echo htmlspecialchars($value);
break;
Something like:
echo htmlspecialchars($value, ENT_QUOTES, 'UTF-8');
Just a suggestion. :-)
By the way, is the following the default value?
$liveuser['login']['regenid'] = false;
Any harm in defaulting that to true? :-)
I usually introduce new features as optional. Also I could see this confusing users in some cases if they do not have cookies enabled (in which case the WebBuilder defaults to using get level session id propagation).
As for the write() method: I have not really pushed its use alot, but I will explore your suggestion.
