Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
V1.3 config question
  • MitchellMitchell
    I was doing a diff between v1.2.1 and v1.3 and noticed that in the file app/config/config.php, the following settings have been removed: html_entities_flags, html_entities_double_encode, and auto_encode_view_date I couldn't find them any place else, so wondering what happened to them. Thanks,
    Mitchell
  • WanWizardWanWizard
    I have all FuelPHP versions installed here, and I did a quick search in the code over all versions, but I can't find these config keys?
  • MitchellMitchell
    Hmm, that's odd. Here's what I have. The settings in question are between 'output_filter' and 'whitelisted_classes'.
      /**
   * This output filter can be any normal PHP function as well as 'xss_clean'
   *
   * WARNING: Using xss_clean will cause a performance hit.  How much is
   * dependant on how much input data there is.
   */
  'output_filter'  => array('Security::htmlentities'),

  /**
   * Whether to automatically filter view data
   */
  'auto_filter_output'  => true,

  /**
   * Flags to use when encoding html entities
   */
   'html_entities_flags' => 'ENT_QUOTES',

  /**
   * Whether or not html entities should be double encoded
   */
   'html_entities_double_encode' => false,

  /**
   * When true, all variables passed on to view objects are automatically encoded
   */
   'auto_encode_view_data' => true,

  /**
   * With output encoding switched on all objects passed will be converted to strings or
   * throw exceptions unless they are instances of the classes in this array.
   */
  'whitelisted_classes' => array(
   'Fuel\\Core\\Response',
   'Fuel\\Core\\View',
   'Fuel\\Core\\ViewModel',
   'Closure',
  )
  • WanWizardWanWizard
    I've been diving into the changelogs and the git history: The security.auto_encode_view_data config option in app/config/config.php has been renamed to security.auto_filter_output in v1.1. security.htmlentities_flags was introduced on February 20th, but was never added as a key to the default app configuration. It defaults to ENT_QUOTES, which used to be hard-coded. html_entities_double_encode was introduced on April 20th, again never added as a key to the default app configuration. It defaults to false, and I have yet to find a situation where I would like to encode twice.
  • MitchellMitchell
    I have the security.auto_filter_output field in my config file, and since the html_entities_flags defaults to ENT_QUOTES and html_entities_double_encode defaults to false, it looks like I can simply remove those 3 settings and all will be good. Thanks very much for digging into the change logs and figuring this out.
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion