[Flow] Fluid escaping interceptor not called when rendering view helpers with shorthand syntax
Jigal van Hemert
jigal.van.hemert at typo3.org
Thu Jul 3 00:22:30 CEST 2014
Hi,
On 2-7-2014 22:44, Helmut Hummel wrote:
> What I want is to challenge the decision that the shorthand syntax does
> not call the escaping interceptor (when last in chain).
>
> When looking into the documentation[1] there is the following example:
>
> <link rel="stylesheet" href="{f:uri.resource(path:'myCssFile.css')}" />
>
> This is probably the one major use case for the shorthand syntax –
> rendering something inside an HTML attribute.
A major issue is that fluid doesn't know the context (what about output
inserted in JavaScript arguments; then a different type of escaping is
necessary).
The parsing is done with regular expressions instead of a tokenizer. You
don't even have to use the shorthad syntax. It looks ugly, but you can
use fluid tags inside an argument of an HTML tag.
With a tokenizer solution the context would be known and the escaping
interceptor could decide how to escape.
> <a href="{f:uri.resource(resource:'{obj.file.resource}')}">Download</a>
We really shouldn't do or promote this in any way. An a-tag (and many
more) should be generated by a complete viewhelper, instead of injecting
dynamic data in hardcoded fragments.
> While I understand that it is technically consistent that the shorthand
> syntax of a view helper produces the same result as the "regular"
> syntax, from a user perspective it is far from obvious and at least very
> inconvenient.
>
> At least the current behavior was unexpected for me and judging from
> Askes answer, I'm not completely alone with this expectation ;)
>
> My expectation was/is that for everything written in curly braces, the
> escaping interceptor is being called after all, which would also be
> quite consistent btw.
People expect that it is now done the right way and the automatic
escaping works in all cases. It is also not to be expected from the
target users of fluid templating that they have to consider all kinds of
security steps while building a template.
--
Jigal van Hemert
TYPO3 CMS Active Contributor
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the Flow
mailing list