Thus whenever anyone looked at your page, they were also made ???friends??? of Samy??™s.
This resulted in an exponential increase in friends for Samy. Fortunately, the code wasn??™t too malicious and
didn??™t steal each user??™s passwords along the way as over 1 million MySpace profiles were infected within 20
hours.
The easiest way to preventing XSS vulnerabilities is to encode the characters that have sepecial meaning
in HTML. That is, we need to change all instances of < to <, & to & and > to > so that the browser
treats them as literals rather than HTML. Within the Zend Framework, we use the helper function escape() to
do this. Every time that you display a PHP variable within a template file, you should use escape() unless you
need it to contain HTML in which case, you should write a sanitizing function to allow only HTML codes that
you trust.
Licensed to Menshu You
Please post comments or corrections to the Author Online forum at
http://www.manning-sandbox.com/forum.jspa?forumID=329
2.6.3 The Model in M-V-C
We have spent a lot of time in the chapter talking about controller and the view as these are the minimum
required for a hello world application. In a real application though, the model side of MVC will take on more
importance as this is where the business logic of the application resides.
Pages:
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72