[Flow] Fluid escaping interceptor not called when rendering view helpers with shorthand syntax
Bastian Waidelich
bastian at typo3.org
Thu Jul 3 15:09:01 CEST 2014
Helmut Hummel wrote:
>> Changing the behavior depending on the context could also be very
>> misleading and difficult to comprehend[1].
> Changing the behavior depending on the context would make much sense.
Ok, let's just agree to disagree on that matter ;)
> <p style="color: {obj.color};" title="{obj.title}">;
>
> {obj.color} -> wrong escaping
Why would that be wrong?
>
> <script type="text/javascript">
> var userName = {user.name};
> </script>;
>
> {user.name} -> wrong escaping
I'm not trying to defend Fluid here, but I wouldn't call this "wrong"
either, the variable would be "htmlspecialchared" which might be desired
and could be avoided with {user.name -> f:format.raw()}
BTW: running a variable through a ViewHelper does not disable the
escaping per se - only for the VH arguments.
That means that the format.* ViewHelpers do not disable escaping for
example.
There are nasty exceptions though:
{string -> f:format.crop(maxCharacters: 10)} // escaping active
{f:format.crop(value: string, maxCharacters: 10)} // escaping inactive!
This is consistent in the technical sense, but it is obviously very
error-prone and I suggest to fix those rare cases by applying the
escaping manually where applicable.
--
Bastian Waidelich
More information about the Flow
mailing list