« Previous | Next » 

Revision 3506ba63

ID3506ba639f2efbd367a59feab9a396b8a697361b
Parent 3ee880c9
Child 36e7bab9

Added by Bastian Waidelich almost 7 years ago

[!!!][FEATURE] Consistent escaping behavior

This is a major rework of the interceptors that are currently mostly
used to automatically apply ``htmlspecialchars()`` to dynamic strings
in Fluid templates.

This is a breaking change because it affects the basic escaping
behavior of Fluid:

The escaping interceptor is now always enabled by default. Previously
this was only the case if the request format was unknown or equal to
"html".
To disable the automatic escaping add ``{escapingEnabled=false}``
anywhere in the template or (preferably) use the raw ViewHelper::

{objectAccess -> f:format.raw()}
{x:some.viewHelper() -> f:format.raw()}
{objectAccess -> x:some.viewHelper() -> f:format.raw()}
<f:format.raw><x:some.viewHelper /></f:format.raw>

Furthermore the ``escapingInterceptorEnabled`` flag in the
``AbstractViewHelper`` has been deprecated in favor of a new flag
``escapeChildren``. The behavior of the flag is still the same though
and the old name will still work.

Lastly the output of ViewHelpers is now also escaped by default!
Previously ViewHelper authors had to take care of that themselves
which was error-prone and less flexible.
The escaping of a custom ViewHelper can be disabled by setting the new
flag ``escapeOutput`` to FALSE in the ViewHelper class.
But this should only be necessary if:
a) The result of ``$this->renderChildren()`` is used directly as output
(child nodes are escaped by default).
b) The ViewHelper renders HTML code.
Beware: In that case the output will need manual data sanitization
ViewHelpers extending ``AbstractTagBasedViewHelper`` will already
have the flag set.

All provided ViewHelpers are adjusted accordingly with one exception:
The output of URI-ViewHelpers such as ``uri.action`` or ``widget.uri``
is now escaped for consistency reasons. If those are used to render HTML
tag attributes the new behavior is desired because those will be
properly encoded now. If the result of an URI ViewHelper is used
directly, for example within some inline JavaScript the new escaping
might break. In this case the raw ViewHelper can be used, as described
above like done in the ``Index.html`` template of the ``Autocomplete``
widget.

Affected packages can be adjusted automatically by running provided core
migration::

./flow core:migrate --version 20150214130800

Change-Id: I1e4cd0942dcf7b0726f3d3892bf8713cba89e9a4
Depends: If66a2dff21b239963728963f15437599a8442f72
Releases: master
Resolves: FLOW-26
Migration: TYPO3.Fluid-20150214130800

  • added
  • modified
  • copied
  • renamed
  • deleted