« Previous | Next » 

Revision ebc454f5

Parent 77e94925
Child 7eb84363, e54d3504

Added by Bastian Waidelich over 7 years ago

[!!!][FEATURE] Consistent escaping behavior

This is a major rework of the interceptors that are currently mostly
used to automatically apply ``htmlspecialchars()`` to dynamic strings
in Fluid templates.

This is a breaking change because it affects the basic escaping
behavior of Fluid:

The escaping interceptor is now always enabled by default. Previously
this was only the case if the request format was unknown or equal to
To disable the automatic escaping add ``{escapingEnabled=false}``
anywhere in the template or (preferably) use the raw ViewHelper::

{objectAccess -> f:format.raw()}
{x:some.viewHelper() -> f:format.raw()}
{objectAccess -> x:some.viewHelper() -> f:format.raw()}
<f:format.raw><x:some.viewHelper /></f:format.raw>

Furthermore the ``escapingInterceptorEnabled`` flag in the
``AbstractViewHelper`` has been deprecated in favor of a new flag
``escapeChildren``. The behavior of the flag is still the same though
and the old name will still work.

Lastly the output of ViewHelpers is now also escaped by default!
Previously ViewHelper authors had to take care of that themselves
which was error-prone and less flexible.
The escaping of a custom ViewHelper can be disabled by setting the new
flag ``escapeOutput`` to FALSE in the ViewHelper class.
But this should only be necessary if:
a) The result of ``$this->renderChildren()`` is used directly as output
(child nodes are escaped by default).
b) The ViewHelper renders HTML code.
Beware: In that case the output will need manual data sanitization
ViewHelpers extending ``AbstractTagBasedViewHelper`` will already
have the flag set.

All provided ViewHelpers are adjusted accordingly with one exception:
The output of URI-ViewHelpers such as ``uri.action`` or ``widget.uri``
is now escaped for consistency reasons. If those are used to render HTML
tag attributes the new behavior is desired because those will be
properly encoded now. If the result of an URI ViewHelper is used
directly, for example within some inline JavaScript the new escaping
might break. In this case the raw ViewHelper can be used, as described
above like done in the ``Index.html`` template of the ``Autocomplete``

Change-Id: I3b05926a6795f8af382abf7966e20cd9989e5742
Releases: master
Resolves: FLOW-26

  • added
  • modified
  • copied
  • renamed
  • deleted