Quick hits responses in general..
Hockey: Security through obscurity is an entirely different topic. Yes, major security firms do follow responsible disclosure. Bruce Schneier's take was right on - its not about hiding the vulnerability (that would be security through obscurity) its about reducing the potential damage by minimizing the time-to-patch. (
http://www.schneier.com/crypto-gram-0203.html#2 ), but once again,
this is off-topic, and if you would like to start a new thread about disclosure, feel free, its a HUGE discussion. It will easily take dozens of replies to dig into.
PJ: Whether you feel its a risk or not doesn't change the facts. Given a template with embedded php tags (and the ones you currently offer for aatrade contain them), an admin using template-lite has two choices: Examine the entire template for risks, or accept the risk. With smarty, there is a third choice: Turn on security, and you are safe from that risk.
That is why *I* feel your library isn't appropriate for BNT, and won't endorse it for situations where admins routinely do not examine templates line-by-line.
The difference between *template* code and *php* code - especially with these engines - should be night and day in terms of risk. Smarty recognized that, and added those protections. It baffles me that its not a concern to more people.
I stand by my statement. Its a security flaw. Can a template do more than present output?
YES. Thats broken. We preach on these forums about the importance of filtering data, and yet here, people are saying its perfectly acceptable to have data (templates) that
performs actions, and saying "hey, filter that" isn't a security issue?
Madness, foolishness, and arrogance.
I've said my peace, and its a no-brainer to me. I'm not using a library that requires blind faith, or perfect vigilence for
template code. I'll use a library that recognizes the danger, and puts controls in place to manage that risk.
If you disagree, if you feel its safe, if you feel thats a reasonable risk, thats your choice.