[Flow] Fluid escaping interceptor not called when rendering view helpers with shorthand syntax

Helmut Hummel helmut.hummel at typo3.org
Wed Jul 2 22:44:13 CEST 2014 

Hi Sebastian!

On 02.07.14 07:57, Sebastian Kurfürst wrote:

> the way it is supposed to be is that *both* syntaxes to exactly the
> same, as internally, they are represented in the same manner.

Well, obviously both syntaxes work the same, which is consistent from a 
certain perspective and probably hard to change at this point (as it 
would be breaking).

> If we should escape "&" always, that should then be done in all cases.

It is not about this particular view helper and always html encoding 
would be wrong anyway.


What I want is to challenge the decision that the shorthand syntax does 
not call the escaping interceptor (when last in chain).


When looking into the documentation[1] there is the following example:

<link rel="stylesheet" href="{f:uri.resource(path:'myCssFile.css')}" />

This is probably the one major use case for the shorthand syntax – 
rendering something inside an HTML attribute.

The problem with this example is, that it is technically *wrong*!
Why is it wrong? Imagine the following:

<a href="{f:uri.resource(resource:'{obj.file.resource}')}">Download</a>

While the resource has the file name 'fileWith"quotes".txt'

The rendered output would be:

<a href="path/to/fileWith"quotes".txt">Download</a>

It is wrong because the HTML encoding is missing.

Currently one has to write:

<link rel="stylesheet" href="{f:uri.resource(path:'myCssFile.css') -> 
f:format.htmlentities()}" />


Basically for the most apparent use case for the shorthand syntax inside 
HTML templates (rendering a view helper inside an HTML attribute),  "-> 
f:format.htmlentities()" *must* be appended in order to prevent 
potentially broken HTML or even security issues.

Let's look and another example:


<a title="{obj.file.title}"
href="{f:uri.resource(resource:'{obj.file.resource}') -> 
f:format.htmlentities()}">Download</a>


for {obj.file.title} the escaping interceptor is called, while for 
{f:uri.resource(resource:'{obj.file.resource}')} the esacping has to be 
done "manually"!

While I understand that it is technically consistent that the shorthand 
syntax of a view helper produces the same result as the "regular" 
syntax, from a user perspective it is far from obvious and at least very 
inconvenient.


At least the current behavior was unexpected for me and judging from 
Askes answer, I'm not completely alone with this expectation ;)


My expectation was/is that for everything written in curly braces, the 
escaping interceptor is being called after all, which would also be 
quite consistent btw.


Kind regards,
Helmut

[1]http://docs.typo3.org/flow/TYPO3FlowDocumentation/TheDefinitiveGuide/PartIII/Templating.html

-- 
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 Core Developer, TYPO3 Security Team Member

TYPO3 .... inspiring people to share!
Get involved: typo3.org

More information about the Flow mailing list